Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?

From: Allan Jude <allanjude_at_freebsd.org>
Date: Thu, 18 Feb 2016 12:16:27 -0500
On 2016-02-18 11:29, Ian Lepore wrote:
> On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote:
>> On Thu, 18 Feb 2016 14:52:44 +0000
>> RW <rwmaillists_at_googlemail.com> wrote:
>>
>>> On Thu, 18 Feb 2016 14:16:24 +0100
>>> O. Hartmann wrote:
>>>
>>>> Hello out there,
>>>>
>>>> I run into a problem and digging for a solution didn't work out.
>>>>
>>>> Problem: I need a string that reflects the hashed password for the
>>>> usage with
>>>>
>>>> passwd -H 0
>>>
>>> Did you mean -h?
>>
>> no, I literally mean -H 0, I explain later ...
>>
>>>
>>>> I think the procedure is using
>>>>
>>>> sha512 -s Password
>>>>
>>>> and using this output for further processing, but how?
>>>
>>> It's not as simple as that, password  hashes are usually salted and
>>> iterated. Salting means that the password is combined with a randomly
>>> generated string stored in plaintext, which means that the password
>>> doesn't hash to a fixed string.
>>>
>>> I'm not sure exactly what you are trying to do, but crypt(3) may be of
>>> help.
>>
>> I'm now down to a small C routine utilizing crypt(3). But this is not what I
>> intend to have, since I want to use tools from the FBSD base system.
>>
>> I build images of a small appliance in a secure isolated environment via
>> NanoBSD. I do not want to have passwords in the clear around here, but I also
>> do not want to type in everytime an image is created, so the idea is to have
>> passwords prepared as hashes in a local file/in variables. Therefore, I'm
>> inclined to use the option "-H 0" of the pw(1) command to provide an already
>> and clean hash (SHA512), which is then stored in /etc/master.passwd.
>>
>> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
>> they "generate" somehow the hashed password and store that in master.password
>> - but I didn't find any way to pipe out the writing of the password to the
>> standard output from that piece of software. Why? Security concerns I forgot to
>> consider?
>>
>> I found lots of articles and howtos to use pipes producing the required
>> password hashes via passwd, chpasswd or pw, but they all have one problem: I
>> have to provide somehow the cleartext password in an automated environment.
>>
>> Maybe there is something missing ...
>>
>> oh
>
> We use something like this at work (which I don't fully understand, but
> it works on freebsd 6.x through 10.x at least)...
>
>   echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \
>     pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $*
>
> I guess for your use you'd capture and save the output of openssl so
> you could later feed it back to pw when making images.
>
> -- Ian
>
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>

`openssl passwd` only seems to support md5crypt


-- 
Allan Jude
Received on Thu Feb 18 2016 - 16:16:39 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC