Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?

From: Gary Palmer <gpalmer_at_freebsd.org>
Date: Thu, 18 Feb 2016 17:37:52 +0000
On Thu, Feb 18, 2016 at 06:11:22PM +0100, O. Hartmann wrote:
> Am Thu, 18 Feb 2016 09:29:26 -0700
> Ian Lepore <ian_at_freebsd.org> schrieb:
> 
> > On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote:
> > > On Thu, 18 Feb 2016 14:52:44 +0000
> > > RW <rwmaillists_at_googlemail.com> wrote:
> > >   
> > > > On Thu, 18 Feb 2016 14:16:24 +0100
> > > > O. Hartmann wrote:
> > > >   
> > > > > Hello out there,
> > > > > 
> > > > > I run into a problem and digging for a solution didn't work out.
> > > > > 
> > > > > Problem: I need a string that reflects the hashed password for the
> > > > > usage with 
> > > > > 
> > > > > passwd -H 0    
> > > > 
> > > > Did you mean -h?  
> > > 
> > > no, I literally mean -H 0, I explain later ...
> > >   
> > > >   
> > > > > I think the procedure is using 
> > > > > 
> > > > > sha512 -s Password
> > > > > 
> > > > > and using this output for further processing, but how?    
> > > > 
> > > > It's not as simple as that, password  hashes are usually salted and
> > > > iterated. Salting means that the password is combined with a randomly
> > > > generated string stored in plaintext, which means that the password
> > > > doesn't hash to a fixed string.
> > > > 
> > > > I'm not sure exactly what you are trying to do, but crypt(3) may be of
> > > > help.  
> > > 
> > > I'm now down to a small C routine utilizing crypt(3). But this is not what I
> > > intend to have, since I want to use tools from the FBSD base system.
> > > 
> > > I build images of a small appliance in a secure isolated environment via
> > > NanoBSD. I do not want to have passwords in the clear around here, but I also
> > > do not want to type in everytime an image is created, so the idea is to have
> > > passwords prepared as hashes in a local file/in variables. Therefore, I'm
> > > inclined to use the option "-H 0" of the pw(1) command to provide an already
> > > and clean hash (SHA512), which is then stored in /etc/master.passwd.
> > > 
> > > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
> > > they "generate" somehow the hashed password and store that in master.password
> > > - but I didn't find any way to pipe out the writing of the password to the
> > > standard output from that piece of software. Why? Security concerns I forgot to
> > > consider?
> > > 
> > > I found lots of articles and howtos to use pipes producing the required
> > > password hashes via passwd, chpasswd or pw, but they all have one problem: I
> > > have to provide somehow the cleartext password in an automated environment.
> > > 
> > > Maybe there is something missing ...
> > > 
> > > oh  
> > 
> > We use something like this at work (which I don't fully understand, but
> > it works on freebsd 6.x through 10.x at least)...
> > 
> >  echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \
> >    pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $*
> > 
> > I guess for your use you'd capture and save the output of openssl so
> > you could later feed it back to pw when making images.
> > 
> > -- Ian
> 
> The "openssl passwd -1" refers to MD5 hashes, as I understand the manpage, but I require
> at least sha256. With this solution suggested, I'd have the password still stored
> in cleartext somewhere - if not read -in via read or similar.
> 
> If you snip off the openssl portion and substitute "-H0" with "-h0", then this is the way
> I did before - as defined/configured in login.conf (usually in
> ${IMAGE_CHROOT_DIR}/etc) SHA512 will be used as digest algorithm and the password seems
> "salted", prepended by the $6$ characters.
> 
> I'd like to have something like
> 
> echo ${password} | openssl passwd -sha512 -stdin -salt VerySalty
> 
> and store the result in a variable somewhere for use with
> 
> echo ${password_salted_sha512_hash} | pw -V ${IMAGE_CHROOT_DIR}/etc usermod -n\
> ${username} -H 0

I presume you want to generate the password manually (to eliminate the
storage of the cleartext password) and then store the hash in a script
somewhere to be reused?  How often do you need to generate new hashes?

I'm wondering why you can't have a dummy user that you just change the
password for when you need a new hash and then grab the crypted password
out of /etc/master.passwd

Thanks,

Gary
Received on Thu Feb 18 2016 - 16:37:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:02 UTC