Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Feb 2016 10:54:27 -0500
From:      Allan Jude <allanjude@freebsd.org>
To:        freebsd-current@freebsd.org
Subject:   Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?
Message-ID:  <56C5E933.8070502@freebsd.org>
In-Reply-To: <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de>
References:  <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--PhWBUiGg5reWGC1ofLVCKos7KUFnhJNo4
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2016-02-18 10:29, O. Hartmann wrote:
> On Thu, 18 Feb 2016 14:52:44 +0000
> RW <rwmaillists@googlemail.com> wrote:
>=20
>> On Thu, 18 Feb 2016 14:16:24 +0100
>> O. Hartmann wrote:
>>
>>> Hello out there,
>>>
>>> I run into a problem and digging for a solution didn't work out.
>>>
>>> Problem: I need a string that reflects the hashed password for the
>>> usage with=20
>>>
>>> passwd -H 0 =20
>>
>> Did you mean -h?
>=20
> no, I literally mean -H 0, I explain later ...
>=20
>>
>>> I think the procedure is using=20
>>>
>>> sha512 -s Password
>>>
>>> and using this output for further processing, but how? =20
>>
>> It's not as simple as that, password  hashes are usually salted and
>> iterated. Salting means that the password is combined with a randomly
>> generated string stored in plaintext, which means that the password
>> doesn't hash to a fixed string.
>>
>> I'm not sure exactly what you are trying to do, but crypt(3) may be of=

>> help.
>=20
> I'm now down to a small C routine utilizing crypt(3). But this is not w=
hat I
> intend to have, since I want to use tools from the FBSD base system.
>=20
> I build images of a small appliance in a secure isolated environment vi=
a
> NanoBSD. I do not want to have passwords in the clear around here, but =
I also
> do not want to type in everytime an image is created, so the idea is to=
 have
> passwords prepared as hashes in a local file/in variables. Therefore, I=
'm
> inclined to use the option "-H 0" of the pw(1) command to provide an al=
ready
> and clean hash (SHA512), which is then stored in /etc/master.passwd.
>=20
> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw=
) and
> they "generate" somehow the hashed password and store that in master.pa=
ssword
> - but I didn't find any way to pipe out the writing of the password to =
the
> standard output from that piece of software. Why? Security concerns I f=
orgot to
> consider?
>=20
> I found lots of articles and howtos to use pipes producing the required=

> password hashes via passwd, chpasswd or pw, but they all have one probl=
em: I
> have to provide somehow the cleartext password in an automated environm=
ent.
>=20
> Maybe there is something missing ...
>=20
> oh
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o=
rg"
>=20

pw is using crypt() to turn the raw password into the password hash you
see in master.passwd.

The sha512 tool cannot do this, as that is 'sha512' (designed to be as
fast as possible), and what crypt() uses is 'sha512crypt' (designed to
be purposefully slow, does 5,000 sha512s by default, but is tunable by
setting rounds=3D10000$ as a prefix to the salt when calling crypt)

crypt("mypassword", "$6$rounds=3D10000$usesomesillystri");

Results in:

$6$rounds=3D10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOA=
b0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0

NetBSD has a command for generating hashes on the command line, pwhash(1)=


I have wanted to bring something like that over for a while, but looking
at the source for pwhash I decided I'd want to start from scratch.

--=20
Allan Jude


--PhWBUiGg5reWGC1ofLVCKos7KUFnhJNo4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWxek3AAoJEBmVNT4SmAt+BXkP/3nkTdLO+o17OmTvkwl0Toko
hFBN4DWQ9r/NZaVxEwVVbY693Td2KE2pb+aVq3/isWem7KK56ZxJXZ0ITwcr/90z
DIViO0zDXalhVnGMIJVDRCNc774Sl8Ku9JLIcIhiCWmfb0b1QxuXVjMqfuVFv9xi
vRRl9Hl5zhk7qY5TZIxKsOZ/fvA3vajGHq4dyc5acX83arjSDc3b6ACYFEA04zVB
SSvh8npleegpQqzH0I52odv648U5WPv8WWoe0MC2/kL4rAS9p9LiB/oAli0bNX4D
5eU3A3ZGIib+a5B2ObyPpyvoyPSaYrLfaBeM4IILsCdo6Mzl227bA1BBZk8CK0lc
XQ/5xJmzfmaqk2YHT9Pi3V315M0IefPUnXtbzedfe9H1yIXPzNJSYkKySSRcr245
Sc+/1Fr1tWSSAtswfwrjba99k5lTfMH4isn+mp38m1BZ/FiLxtckSHq0zPuhQ6zd
2R2g9nt9Ae7y3sVUkHJIuFN4H8XaX6JKszmg1YzYfQVP2ZXL/qOsS2vk3CnL8TlC
oQTCWj+ZdURRH0TcQf3unIVe8cxsrh2rJ2Hf6NGQawvY+FhjOCxM4jeu2Pb6YcAR
iXUcxNQtDhKMxhdlhFSxqBLxdiC6l6hM2W6+h4mZcKqU3l+TyPvYuSGQB6fUCS6Y
VyXZ2YpKB5YbSeNkwekP
=oO1t
-----END PGP SIGNATURE-----

--PhWBUiGg5reWGC1ofLVCKos7KUFnhJNo4--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56C5E933.8070502>