On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote: > On Thu, 18 Feb 2016 14:52:44 +0000 > RW <rwmaillists_at_googlemail.com> wrote: > > > On Thu, 18 Feb 2016 14:16:24 +0100 > > O. Hartmann wrote: > > > > > Hello out there, > > > > > > I run into a problem and digging for a solution didn't work out. > > > > > > Problem: I need a string that reflects the hashed password for the > > > usage with > > > > > > passwd -H 0 > > > > Did you mean -h? > > no, I literally mean -H 0, I explain later ... > > > > > > I think the procedure is using > > > > > > sha512 -s Password > > > > > > and using this output for further processing, but how? > > > > It's not as simple as that, password hashes are usually salted and > > iterated. Salting means that the password is combined with a randomly > > generated string stored in plaintext, which means that the password > > doesn't hash to a fixed string. > > > > I'm not sure exactly what you are trying to do, but crypt(3) may be of > > help. > > I'm now down to a small C routine utilizing crypt(3). But this is not what I > intend to have, since I want to use tools from the FBSD base system. > > I build images of a small appliance in a secure isolated environment via > NanoBSD. I do not want to have passwords in the clear around here, but I also > do not want to type in everytime an image is created, so the idea is to have > passwords prepared as hashes in a local file/in variables. Therefore, I'm > inclined to use the option "-H 0" of the pw(1) command to provide an already > and clean hash (SHA512), which is then stored in /etc/master.passwd. > > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and > they "generate" somehow the hashed password and store that in master.password > - but I didn't find any way to pipe out the writing of the password to the > standard output from that piece of software. Why? Security concerns I forgot to > consider? > > I found lots of articles and howtos to use pipes producing the required > password hashes via passwd, chpasswd or pw, but they all have one problem: I > have to provide somehow the cleartext password in an automated environment. > > Maybe there is something missing ... > > oh We use something like this at work (which I don't fully understand, but it works on freebsd 6.x through 10.x at least)... echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \ pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $* I guess for your use you'd capture and save the output of openssl so you could later feed it back to pw when making images. -- IanReceived on Thu Feb 18 2016 - 15:29:34 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC