From owner-freebsd-current@freebsd.org  Thu Feb 18 16:29:34 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE2D7AAB2B6
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Thu, 18 Feb 2016 16:29:34 +0000 (UTC) (envelope-from ian@freebsd.org)
Received: from pmta2.delivery6.ore.mailhop.org
 (pmta2.delivery6.ore.mailhop.org [54.200.129.228])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A3F99107B
 for <freebsd-current@freebsd.org>; Thu, 18 Feb 2016 16:29:34 +0000 (UTC)
 (envelope-from ian@freebsd.org)
X-MHO-User: fa3d9c8a-d65c-11e5-8de6-958346fd02ba
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 73.34.117.227
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from ilsoft.org (unknown [73.34.117.227])
 by outbound2.ore.mailhop.org (Halon Mail Gateway) with ESMTPSA;
 Thu, 18 Feb 2016 16:30:52 +0000 (UTC)
Received: from rev (rev [172.22.42.240])
 by ilsoft.org (8.15.2/8.14.9) with ESMTP id u1IGTQgV032251;
 Thu, 18 Feb 2016 09:29:26 -0700 (MST) (envelope-from ian@freebsd.org)
Message-ID: <1455812966.1294.5.camel@freebsd.org>
Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd
 -H 0?
From: Ian Lepore <ian@freebsd.org>
To: "O. Hartmann" <ohartman@zedat.fu-berlin.de>, RW
 <rwmaillists@googlemail.com>
Cc: freebsd-current@freebsd.org
Date: Thu, 18 Feb 2016 09:29:26 -0700
In-Reply-To: <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de>
References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de>
 <20160218145244.0b1e4c94@gumby.homeunix.com>
 <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de>
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Evolution 3.16.5 FreeBSD GNOME Team Port 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 16:29:34 -0000

On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote:
> On Thu, 18 Feb 2016 14:52:44 +0000
> RW <rwmaillists@googlemail.com> wrote:
> 
> > On Thu, 18 Feb 2016 14:16:24 +0100
> > O. Hartmann wrote:
> > 
> > > Hello out there,
> > > 
> > > I run into a problem and digging for a solution didn't work out.
> > > 
> > > Problem: I need a string that reflects the hashed password for the
> > > usage with 
> > > 
> > > passwd -H 0  
> > 
> > Did you mean -h?
> 
> no, I literally mean -H 0, I explain later ...
> 
> > 
> > > I think the procedure is using 
> > > 
> > > sha512 -s Password
> > > 
> > > and using this output for further processing, but how?  
> > 
> > It's not as simple as that, password  hashes are usually salted and
> > iterated. Salting means that the password is combined with a randomly
> > generated string stored in plaintext, which means that the password
> > doesn't hash to a fixed string.
> > 
> > I'm not sure exactly what you are trying to do, but crypt(3) may be of
> > help.
> 
> I'm now down to a small C routine utilizing crypt(3). But this is not what I
> intend to have, since I want to use tools from the FBSD base system.
> 
> I build images of a small appliance in a secure isolated environment via
> NanoBSD. I do not want to have passwords in the clear around here, but I also
> do not want to type in everytime an image is created, so the idea is to have
> passwords prepared as hashes in a local file/in variables. Therefore, I'm
> inclined to use the option "-H 0" of the pw(1) command to provide an already
> and clean hash (SHA512), which is then stored in /etc/master.passwd.
> 
> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
> they "generate" somehow the hashed password and store that in master.password
> - but I didn't find any way to pipe out the writing of the password to the
> standard output from that piece of software. Why? Security concerns I forgot to
> consider?
> 
> I found lots of articles and howtos to use pipes producing the required
> password hashes via passwd, chpasswd or pw, but they all have one problem: I
> have to provide somehow the cleartext password in an automated environment.
> 
> Maybe there is something missing ...
> 
> oh

We use something like this at work (which I don't fully understand, but
it works on freebsd 6.x through 10.x at least)...

 echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \
   pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $*

I guess for your use you'd capture and save the output of openssl so
you could later feed it back to pw when making images.

-- Ian