From owner-freebsd-current@freebsd.org Thu Feb 18 17:16:39 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4483AACB93 for ; Thu, 18 Feb 2016 17:16:39 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 88A9B15BC for ; Thu, 18 Feb 2016 17:16:39 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [192.168.1.10] (unknown [192.168.1.10]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 6993CDAFC for ; Thu, 18 Feb 2016 17:16:33 +0000 (UTC) Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? To: freebsd-current@freebsd.org References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <1455812966.1294.5.camel@freebsd.org> From: Allan Jude Message-ID: <56C5FC6B.7070408@freebsd.org> Date: Thu, 18 Feb 2016 12:16:27 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <1455812966.1294.5.camel@freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 17:16:39 -0000 On 2016-02-18 11:29, Ian Lepore wrote: > On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote: >> On Thu, 18 Feb 2016 14:52:44 +0000 >> RW wrote: >> >>> On Thu, 18 Feb 2016 14:16:24 +0100 >>> O. Hartmann wrote: >>> >>>> Hello out there, >>>> >>>> I run into a problem and digging for a solution didn't work out. >>>> >>>> Problem: I need a string that reflects the hashed password for the >>>> usage with >>>> >>>> passwd -H 0 >>> >>> Did you mean -h? >> >> no, I literally mean -H 0, I explain later ... >> >>> >>>> I think the procedure is using >>>> >>>> sha512 -s Password >>>> >>>> and using this output for further processing, but how? >>> >>> It's not as simple as that, password hashes are usually salted and >>> iterated. Salting means that the password is combined with a randomly >>> generated string stored in plaintext, which means that the password >>> doesn't hash to a fixed string. >>> >>> I'm not sure exactly what you are trying to do, but crypt(3) may be of >>> help. >> >> I'm now down to a small C routine utilizing crypt(3). But this is not what I >> intend to have, since I want to use tools from the FBSD base system. >> >> I build images of a small appliance in a secure isolated environment via >> NanoBSD. I do not want to have passwords in the clear around here, but I also >> do not want to type in everytime an image is created, so the idea is to have >> passwords prepared as hashes in a local file/in variables. Therefore, I'm >> inclined to use the option "-H 0" of the pw(1) command to provide an already >> and clean hash (SHA512), which is then stored in /etc/master.passwd. >> >> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and >> they "generate" somehow the hashed password and store that in master.password >> - but I didn't find any way to pipe out the writing of the password to the >> standard output from that piece of software. Why? Security concerns I forgot to >> consider? >> >> I found lots of articles and howtos to use pipes producing the required >> password hashes via passwd, chpasswd or pw, but they all have one problem: I >> have to provide somehow the cleartext password in an automated environment. >> >> Maybe there is something missing ... >> >> oh > > We use something like this at work (which I don't fully understand, but > it works on freebsd 6.x through 10.x at least)... > > echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \ > pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $* > > I guess for your use you'd capture and save the output of openssl so > you could later feed it back to pw when making images. > > -- Ian > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > `openssl passwd` only seems to support md5crypt -- Allan Jude