Allan Jude <allanjude_at_freebsd.org> writes: > On 2016-02-18 10:29, O. Hartmann wrote: >> I'm now down to a small C routine utilizing crypt(3). But this is not what I >> intend to have, since I want to use tools from the FBSD base system. >> >> I build images of a small appliance in a secure isolated environment via >> NanoBSD. I do not want to have passwords in the clear around here, but I also >> do not want to type in everytime an image is created, so the idea is to have >> passwords prepared as hashes in a local file/in variables. Therefore, I'm >> inclined to use the option "-H 0" of the pw(1) command to provide an already >> and clean hash (SHA512), which is then stored in /etc/master.passwd. >> >> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and >> they "generate" somehow the hashed password and store that in master.password >> - but I didn't find any way to pipe out the writing of the password to the >> standard output from that piece of software. Why? Security concerns I forgot to >> consider? >> >> I found lots of articles and howtos to use pipes producing the required >> password hashes via passwd, chpasswd or pw, but they all have one problem: I >> have to provide somehow the cleartext password in an automated environment. >> >> Maybe there is something missing ... >> >> oh >> _______________________________________________ > > pw is using crypt() to turn the raw password into the password hash you > see in master.passwd. > > The sha512 tool cannot do this, as that is 'sha512' (designed to be as > fast as possible), and what crypt() uses is 'sha512crypt' (designed to > be purposefully slow, does 5,000 sha512s by default, but is tunable by > setting rounds=10000$ as a prefix to the salt when calling crypt) > > crypt("mypassword", "$6$rounds=10000$usesomesillystri"); > > Results in: > > $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0 > > NetBSD has a command for generating hashes on the command line, pwhash(1) > > I have wanted to bring something like that over for a while, but looking > at the source for pwhash I decided I'd want to start from scratch. "openssl passwd", maybe?Received on Thu Feb 18 2016 - 15:20:26 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC