Am Thu, 18 Feb 2016 11:20:20 -0500 Lowell Gilbert <freebsd-current-local_at_be-well.ilk.org> schrieb: > Allan Jude <allanjude_at_freebsd.org> writes: > > > On 2016-02-18 10:29, O. Hartmann wrote: > > >> I'm now down to a small C routine utilizing crypt(3). But this is not what I > >> intend to have, since I want to use tools from the FBSD base system. > >> > >> I build images of a small appliance in a secure isolated environment via > >> NanoBSD. I do not want to have passwords in the clear around here, but I also > >> do not want to type in everytime an image is created, so the idea is to have > >> passwords prepared as hashes in a local file/in variables. Therefore, I'm > >> inclined to use the option "-H 0" of the pw(1) command to provide an already > >> and clean hash (SHA512), which is then stored in /etc/master.passwd. > >> > >> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and > >> they "generate" somehow the hashed password and store that in master.password > >> - but I didn't find any way to pipe out the writing of the password to the > >> standard output from that piece of software. Why? Security concerns I forgot to > >> consider? > >> > >> I found lots of articles and howtos to use pipes producing the required > >> password hashes via passwd, chpasswd or pw, but they all have one problem: I > >> have to provide somehow the cleartext password in an automated environment. > >> > >> Maybe there is something missing ... > >> > >> oh > >> _______________________________________________ > > > > pw is using crypt() to turn the raw password into the password hash you > > see in master.passwd. > > > > The sha512 tool cannot do this, as that is 'sha512' (designed to be as > > fast as possible), and what crypt() uses is 'sha512crypt' (designed to > > be purposefully slow, does 5,000 sha512s by default, but is tunable by > > setting rounds=10000$ as a prefix to the salt when calling crypt) > > > > crypt("mypassword", "$6$rounds=10000$usesomesillystri"); > > > > Results in: > > > > $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0 > > > > NetBSD has a command for generating hashes on the command line, pwhash(1) > > > > I have wanted to bring something like that over for a while, but looking > > at the source for pwhash I decided I'd want to start from scratch. > > "openssl passwd", maybe? As stated in an earlier response, openssl passwd has only md5 (option -1) and ordinary crypt (-crypt) as digest, I need something more stronger, at least sha256.
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC