Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Feb 2016 18:11:22 +0100
From:      "O. Hartmann" <ohartman@zedat.fu-berlin.de>
To:        Ian Lepore <ian@freebsd.org>
Cc:        RW <rwmaillists@googlemail.com>, freebsd-current@freebsd.org
Subject:   Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?
Message-ID:  <20160218181122.29b8fae2.ohartman@zedat.fu-berlin.de>
In-Reply-To: <1455812966.1294.5.camel@freebsd.org>
References:  <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <1455812966.1294.5.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
--Sig_//NYOyk_Y3BLQUfXZEhj3wtT
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Am Thu, 18 Feb 2016 09:29:26 -0700
Ian Lepore <ian@freebsd.org> schrieb:

> On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote:
> > On Thu, 18 Feb 2016 14:52:44 +0000
> > RW <rwmaillists@googlemail.com> wrote:
> >  =20
> > > On Thu, 18 Feb 2016 14:16:24 +0100
> > > O. Hartmann wrote:
> > >  =20
> > > > Hello out there,
> > > >=20
> > > > I run into a problem and digging for a solution didn't work out.
> > > >=20
> > > > Problem: I need a string that reflects the hashed password for the
> > > > usage with=20
> > > >=20
> > > > passwd -H 0   =20
> > >=20
> > > Did you mean -h? =20
> >=20
> > no, I literally mean -H 0, I explain later ...
> >  =20
> > >  =20
> > > > I think the procedure is using=20
> > > >=20
> > > > sha512 -s Password
> > > >=20
> > > > and using this output for further processing, but how?   =20
> > >=20
> > > It's not as simple as that, password  hashes are usually salted and
> > > iterated. Salting means that the password is combined with a randomly
> > > generated string stored in plaintext, which means that the password
> > > doesn't hash to a fixed string.
> > >=20
> > > I'm not sure exactly what you are trying to do, but crypt(3) may be of
> > > help. =20
> >=20
> > I'm now down to a small C routine utilizing crypt(3). But this is not w=
hat I
> > intend to have, since I want to use tools from the FBSD base system.
> >=20
> > I build images of a small appliance in a secure isolated environment via
> > NanoBSD. I do not want to have passwords in the clear around here, but =
I also
> > do not want to type in everytime an image is created, so the idea is to=
 have
> > passwords prepared as hashes in a local file/in variables. Therefore, I=
'm
> > inclined to use the option "-H 0" of the pw(1) command to provide an al=
ready
> > and clean hash (SHA512), which is then stored in /etc/master.passwd.
> >=20
> > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw=
) and
> > they "generate" somehow the hashed password and store that in master.pa=
ssword
> > - but I didn't find any way to pipe out the writing of the password to =
the
> > standard output from that piece of software. Why? Security concerns I f=
orgot to
> > consider?
> >=20
> > I found lots of articles and howtos to use pipes producing the required
> > password hashes via passwd, chpasswd or pw, but they all have one probl=
em: I
> > have to provide somehow the cleartext password in an automated environm=
ent.
> >=20
> > Maybe there is something missing ...
> >=20
> > oh =20
>=20
> We use something like this at work (which I don't fully understand, but
> it works on freebsd 6.x through 10.x at least)...
>=20
>  echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \
>    pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $*
>=20
> I guess for your use you'd capture and save the output of openssl so
> you could later feed it back to pw when making images.
>=20
> -- Ian

The "openssl passwd -1" refers to MD5 hashes, as I understand the manpage, =
but I require
at least sha256. With this solution suggested, I'd have the password still =
stored
in cleartext somewhere - if not read -in via read or similar.

If you snip off the openssl portion and substitute "-H0" with "-h0", then t=
his is the way
I did before - as defined/configured in login.conf (usually in
${IMAGE_CHROOT_DIR}/etc) SHA512 will be used as digest algorithm and the pa=
ssword seems
"salted", prepended by the $6$ characters.

I'd like to have something like

echo ${password} | openssl passwd -sha512 -stdin -salt VerySalty

and store the result in a variable somewhere for use with

echo ${password_salted_sha512_hash} | pw -V ${IMAGE_CHROOT_DIR}/etc usermod=
 -n\
${username} -H 0

Thanks,

oh

--Sig_//NYOyk_Y3BLQUfXZEhj3wtT
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWxfs6AAoJEOgBcD7A/5N87XcH/inka3EdCzZZ+bE1eHyBhuAi
8hi77DJlJcamjA8ylQ+nxJMQHFM8pANwQ/jz745MsiPld5vbtHlXI55P8xN+h8gp
ttCqShpZ4AZ6u7wJr2ztKyzn4+o0tGdod01v6Lf8OnC1mHLcJ6dd+MDLpFdvJBK4
T9ZrFMsCAlQkyQ/9uS6nfJVLBb78QJ6PTh9Jj6BB7t/KjOaRBiSTPbhW3mEZueH9
U+EdihBoKi42auiwlaBz8yCkEOc8oS69KZyrZ223ABriXvwHCzxT3lA8t1uqgMZ3
+LavAEA9WXX6mCZsBreVtGPnAF9bheaV3/bRf3oXzbwBDVdaxY3J2kTyu4A6ZXk=
=kriY
-----END PGP SIGNATURE-----

--Sig_//NYOyk_Y3BLQUfXZEhj3wtT--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160218181122.29b8fae2.ohartman>