Checksum for directories

Checksums are calculated for files. Calculating the checksum for a directory requires recursively calculating the checksums for all the files in the directory.

The md5deep or sha1deep commands traverse a file tree and calculate checksums for all files. These programs may not be installed on your system. Use apt-get or yum to install the md5deep package. An example of this command is as follows:

$ md5deep -rl directory_path > directory.md5

The -r option allows md5deep to recurse into sub-directories. The -l option enables displaying the relative path, instead of the default absolute path.

# -r to enable recursive traversal
# -l to use relative path. By default it writes absolute file
path in output

The find and md5sum commands can be used to calculate checksums recursively:

$ find directory_path -type f -print0 | xargs -0 md5sum >> directory.md5

To verify, use this command:

$ md5sum -c directory.md5
  • The md5 and SHA-1 checksums are unidirectional hash algorithms, which cannot be reversed to form the original data. These are also used to generate a unique key from a given data:
        $ md5sum file
        8503063d5488c3080d4800ff50850dc9  file
        $ sha1sum file
        1ba02b66e2e557fede8f61b7df282cd0a27b816b  file

 These hashes are commonly used to store passwords. Only the hash for a    password is stored. When a user needs to be authenticated, the password is read  and converted to the hash and that hash is compared to the stored hash. If they  are the same, the password is authenticated and access is provided. Storing  plain–text password strings is risky and poses a security risk.

Although commonly used, md5sum and SHA-1 are no longer considered secure. This is because the rise in computing power in recent times that makes it easier to crack them. It is recommended that you use tools such as bcrypt or sha512sum instead. Read more about this at http://codahale.com/how-to-safely-store-a-password/.
  • Shadow-like hash (salted hash)

  The next recipe shows how to generate a shadow-like salted hash for passwords.   The hash for user passwords in Linux is stored in the /etc/shadow file. A            typical line in /etc/shadow will look like this:

                    test:$6$fG4eWdUi$ohTKOlEUzNk77.4S8MrYe07NTRV4M3LrJnZP9p.qc1bR5c.
EcOruzPXfEu1uloBFUa18ENRH7F70zhodas3cR.:14790:0:99999:7:::

$6$fG4eWdUi$ohTKOlEUzNk77.4S8MrYe07NTRV4M3LrJnZP9p.qc1bR5c.EcOruzPXfEu1uloBFUa18ENRH7F70zhodas3cR is the hash corresponding to its password.

In some situations, we need to write scripts to edit passwords or add users. In that case, we must generate a shadow password string and write a similar line to the preceding one to the shadow file. We can generate a shadow password using openssl.

Shadow passwords are usually salted passwords. SALT is an extra string used to obfuscate and make the encryption stronger. Salt consists of random bits that are used as one of the inputs to a key derivation function that generates the salted hash for the password.

For more details on salt, refer to this Wikipedia page at h t t p ://e n . w i k i p e d i a . o r g /w i k i /S a l t _ (c r y p t o g r a p h y ). 
$ opensslpasswd -1 -salt SALT_STRING PASSWORD
$1$SALT_STRING$323VkWkSLHuhbt1zkSsUG.

Replace SALT_STRING with a random string and PASSWORD with the password you want to use.

上一章目录下一章