Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Thu, 18 Feb 2016 18:19:36 +0100
Am Thu, 18 Feb 2016 10:54:27 -0500
Allan Jude <allanjude_at_freebsd.org> schrieb:

> On 2016-02-18 10:29, O. Hartmann wrote:
> > On Thu, 18 Feb 2016 14:52:44 +0000
> > RW <rwmaillists_at_googlemail.com> wrote:
> >   
> >> On Thu, 18 Feb 2016 14:16:24 +0100
> >> O. Hartmann wrote:
> >>  
> >>> Hello out there,
> >>>
> >>> I run into a problem and digging for a solution didn't work out.
> >>>
> >>> Problem: I need a string that reflects the hashed password for the
> >>> usage with 
> >>>
> >>> passwd -H 0    
> >>
> >> Did you mean -h?  
> > 
> > no, I literally mean -H 0, I explain later ...
> >   
> >>  
> >>> I think the procedure is using 
> >>>
> >>> sha512 -s Password
> >>>
> >>> and using this output for further processing, but how?    
> >>
> >> It's not as simple as that, password  hashes are usually salted and
> >> iterated. Salting means that the password is combined with a randomly
> >> generated string stored in plaintext, which means that the password
> >> doesn't hash to a fixed string.
> >>
> >> I'm not sure exactly what you are trying to do, but crypt(3) may be of
> >> help.  
> > 
> > I'm now down to a small C routine utilizing crypt(3). But this is not what I
> > intend to have, since I want to use tools from the FBSD base system.
> > 
> > I build images of a small appliance in a secure isolated environment via
> > NanoBSD. I do not want to have passwords in the clear around here, but I also
> > do not want to type in everytime an image is created, so the idea is to have
> > passwords prepared as hashes in a local file/in variables. Therefore, I'm
> > inclined to use the option "-H 0" of the pw(1) command to provide an already
> > and clean hash (SHA512), which is then stored in /etc/master.passwd.
> > 
> > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
> > they "generate" somehow the hashed password and store that in master.password
> > - but I didn't find any way to pipe out the writing of the password to the
> > standard output from that piece of software. Why? Security concerns I forgot to
> > consider?
> > 
> > I found lots of articles and howtos to use pipes producing the required
> > password hashes via passwd, chpasswd or pw, but they all have one problem: I
> > have to provide somehow the cleartext password in an automated environment.
> > 
> > Maybe there is something missing ...
> > 
> > oh
> > _______________________________________________
> > freebsd-current_at_freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
> >   
> 
> pw is using crypt() to turn the raw password into the password hash you
> see in master.passwd.
> 
> The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> be purposefully slow, does 5,000 sha512s by default, but is tunable by
> setting rounds=10000$ as a prefix to the salt when calling crypt)
> 
> crypt("mypassword", "$6$rounds=10000$usesomesillystri");
> 
> Results in:
> 
> $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
> 
> NetBSD has a command for generating hashes on the command line, pwhash(1)
> 
> I have wanted to bring something like that over for a while, but looking
> at the source for pwhash I decided I'd want to start from scratch.
> 

Hallo Allen,

thanks for the insight in crypt. I have no information found about crypt()'s capability
of using rounds=xxxx - there is a slide-show floating around referring to FBSD 10.x and
claims, that FreeBSD doesn't have this functionality yet. The manpage for crypt(3)
doesn't state anything. It is very hard for me to extract those informations from the
docs provided! It would be great, if someone could read about it in the manpages - did I
miss something?

And yes, please, start from scratch - I'd like to see something like pwhash() in
FreeBSD ;-)

Thank you very much and kind regards,

oh

Received on Thu Feb 18 2016 - 16:19:39 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC