From owner-freebsd-current@freebsd.org Thu Feb 18 16:20:26 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 774FAAAAD9A for ; Thu, 18 Feb 2016 16:20:26 +0000 (UTC) (envelope-from freebsd-current-local@be-well.ilk.org) Received: from be-well.ilk.org (be-well.ilk.org [23.30.133.173]) by mx1.freebsd.org (Postfix) with ESMTP id 56B17ABF; Thu, 18 Feb 2016 16:20:26 +0000 (UTC) (envelope-from freebsd-current-local@be-well.ilk.org) Received: by be-well.ilk.org (Postfix, from userid 1147) id 5F9FC33C25; Thu, 18 Feb 2016 11:20:20 -0500 (EST) From: Lowell Gilbert To: Allan Jude Cc: freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org> Date: Thu, 18 Feb 2016 11:20:20 -0500 In-Reply-To: <56C5E933.8070502@freebsd.org> (Allan Jude's message of "Thu, 18 Feb 2016 10:54:27 -0500") Message-ID: <44d1rugfcr.fsf@be-well.ilk.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 16:20:26 -0000 Allan Jude writes: > On 2016-02-18 10:29, O. Hartmann wrote: >> I'm now down to a small C routine utilizing crypt(3). But this is not what I >> intend to have, since I want to use tools from the FBSD base system. >> >> I build images of a small appliance in a secure isolated environment via >> NanoBSD. I do not want to have passwords in the clear around here, but I also >> do not want to type in everytime an image is created, so the idea is to have >> passwords prepared as hashes in a local file/in variables. Therefore, I'm >> inclined to use the option "-H 0" of the pw(1) command to provide an already >> and clean hash (SHA512), which is then stored in /etc/master.passwd. >> >> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and >> they "generate" somehow the hashed password and store that in master.password >> - but I didn't find any way to pipe out the writing of the password to the >> standard output from that piece of software. Why? Security concerns I forgot to >> consider? >> >> I found lots of articles and howtos to use pipes producing the required >> password hashes via passwd, chpasswd or pw, but they all have one problem: I >> have to provide somehow the cleartext password in an automated environment. >> >> Maybe there is something missing ... >> >> oh >> _______________________________________________ > > pw is using crypt() to turn the raw password into the password hash you > see in master.passwd. > > The sha512 tool cannot do this, as that is 'sha512' (designed to be as > fast as possible), and what crypt() uses is 'sha512crypt' (designed to > be purposefully slow, does 5,000 sha512s by default, but is tunable by > setting rounds=10000$ as a prefix to the salt when calling crypt) > > crypt("mypassword", "$6$rounds=10000$usesomesillystri"); > > Results in: > > $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0 > > NetBSD has a command for generating hashes on the command line, pwhash(1) > > I have wanted to bring something like that over for a while, but looking > at the source for pwhash I decided I'd want to start from scratch. "openssl passwd", maybe?