From owner-freebsd-current@freebsd.org Thu Feb 18 15:29:18 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48408AACE7E for ; Thu, 18 Feb 2016 15:29:18 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C52394A for ; Thu, 18 Feb 2016 15:29:17 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1aWQVy-0029bw-1a>; Thu, 18 Feb 2016 16:29:10 +0100 Received: from p578a69f9.dip0.t-ipconnect.de ([87.138.105.249] helo=freyja.zeit4.iv.bundesimmobilien.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128) (envelope-from ) id <1aWQVx-0000TE-N1>; Thu, 18 Feb 2016 16:29:09 +0100 Date: Thu, 18 Feb 2016 16:29:08 +0100 From: "O. Hartmann" To: RW Cc: freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <20160218145244.0b1e4c94@gumby.homeunix.com> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> Organization: FU Berlin X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Originating-IP: 87.138.105.249 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 15:29:18 -0000 On Thu, 18 Feb 2016 14:52:44 +0000 RW wrote: > On Thu, 18 Feb 2016 14:16:24 +0100 > O. Hartmann wrote: > > > Hello out there, > > > > I run into a problem and digging for a solution didn't work out. > > > > Problem: I need a string that reflects the hashed password for the > > usage with > > > > passwd -H 0 > > Did you mean -h? no, I literally mean -H 0, I explain later ... > > > I think the procedure is using > > > > sha512 -s Password > > > > and using this output for further processing, but how? > > It's not as simple as that, password hashes are usually salted and > iterated. Salting means that the password is combined with a randomly > generated string stored in plaintext, which means that the password > doesn't hash to a fixed string. > > I'm not sure exactly what you are trying to do, but crypt(3) may be of > help. I'm now down to a small C routine utilizing crypt(3). But this is not what I intend to have, since I want to use tools from the FBSD base system. I build images of a small appliance in a secure isolated environment via NanoBSD. I do not want to have passwords in the clear around here, but I also do not want to type in everytime an image is created, so the idea is to have passwords prepared as hashes in a local file/in variables. Therefore, I'm inclined to use the option "-H 0" of the pw(1) command to provide an already and clean hash (SHA512), which is then stored in /etc/master.passwd. It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and they "generate" somehow the hashed password and store that in master.password - but I didn't find any way to pipe out the writing of the password to the standard output from that piece of software. Why? Security concerns I forgot to consider? I found lots of articles and howtos to use pipes producing the required password hashes via passwd, chpasswd or pw, but they all have one problem: I have to provide somehow the cleartext password in an automated environment. Maybe there is something missing ... oh