Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Feb 2016 18:19:36 +0100
From:      "O. Hartmann" <ohartman@zedat.fu-berlin.de>
To:        Allan Jude <allanjude@freebsd.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?
Message-ID:  <20160218181936.7922f0fb.ohartman@zedat.fu-berlin.de>
In-Reply-To: <56C5E933.8070502@freebsd.org>
References:  <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/OG_F7+4Tfa3iRE13fpa6cuK
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Am Thu, 18 Feb 2016 10:54:27 -0500
Allan Jude <allanjude@freebsd.org> schrieb:

> On 2016-02-18 10:29, O. Hartmann wrote:
> > On Thu, 18 Feb 2016 14:52:44 +0000
> > RW <rwmaillists@googlemail.com> wrote:
> >  =20
> >> On Thu, 18 Feb 2016 14:16:24 +0100
> >> O. Hartmann wrote:
> >> =20
> >>> Hello out there,
> >>>
> >>> I run into a problem and digging for a solution didn't work out.
> >>>
> >>> Problem: I need a string that reflects the hashed password for the
> >>> usage with=20
> >>>
> >>> passwd -H 0   =20
> >>
> >> Did you mean -h? =20
> >=20
> > no, I literally mean -H 0, I explain later ...
> >  =20
> >> =20
> >>> I think the procedure is using=20
> >>>
> >>> sha512 -s Password
> >>>
> >>> and using this output for further processing, but how?   =20
> >>
> >> It's not as simple as that, password  hashes are usually salted and
> >> iterated. Salting means that the password is combined with a randomly
> >> generated string stored in plaintext, which means that the password
> >> doesn't hash to a fixed string.
> >>
> >> I'm not sure exactly what you are trying to do, but crypt(3) may be of
> >> help. =20
> >=20
> > I'm now down to a small C routine utilizing crypt(3). But this is not w=
hat I
> > intend to have, since I want to use tools from the FBSD base system.
> >=20
> > I build images of a small appliance in a secure isolated environment via
> > NanoBSD. I do not want to have passwords in the clear around here, but =
I also
> > do not want to type in everytime an image is created, so the idea is to=
 have
> > passwords prepared as hashes in a local file/in variables. Therefore, I=
'm
> > inclined to use the option "-H 0" of the pw(1) command to provide an al=
ready
> > and clean hash (SHA512), which is then stored in /etc/master.passwd.
> >=20
> > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw=
) and
> > they "generate" somehow the hashed password and store that in master.pa=
ssword
> > - but I didn't find any way to pipe out the writing of the password to =
the
> > standard output from that piece of software. Why? Security concerns I f=
orgot to
> > consider?
> >=20
> > I found lots of articles and howtos to use pipes producing the required
> > password hashes via passwd, chpasswd or pw, but they all have one probl=
em: I
> > have to provide somehow the cleartext password in an automated environm=
ent.
> >=20
> > Maybe there is something missing ...
> >=20
> > oh
> > _______________________________________________
> > freebsd-current@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o=
rg"
> >  =20
>=20
> pw is using crypt() to turn the raw password into the password hash you
> see in master.passwd.
>=20
> The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> be purposefully slow, does 5,000 sha512s by default, but is tunable by
> setting rounds=3D10000$ as a prefix to the salt when calling crypt)
>=20
> crypt("mypassword", "$6$rounds=3D10000$usesomesillystri");
>=20
> Results in:
>=20
> $6$rounds=3D10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOA=
b0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
>=20
> NetBSD has a command for generating hashes on the command line, pwhash(1)
>=20
> I have wanted to bring something like that over for a while, but looking
> at the source for pwhash I decided I'd want to start from scratch.
>=20

Hallo Allen,

thanks for the insight in crypt. I have no information found about crypt()'=
s capability
of using rounds=3Dxxxx - there is a slide-show floating around referring to=
 FBSD 10.x and
claims, that FreeBSD doesn't have this functionality yet. The manpage for c=
rypt(3)
doesn't state anything. It is very hard for me to extract those information=
s from the
docs provided! It would be great, if someone could read about it in the man=
pages - did I
miss something?

And yes, please, start from scratch - I'd like to see something like pwhash=
() in
FreeBSD ;-)

Thank you very much and kind regards,

oh

--Sig_/OG_F7+4Tfa3iRE13fpa6cuK
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWxf0oAAoJEOgBcD7A/5N8goYIAI395lfpSn1UaQQ5ttp77P+S
+2hO9nVhKU5k7q8nwv8gc2PbRNkVLOFNsLIGAyaQpyNhgfdWpN6TyLRMzZRNfCT5
6JEbActMCf/AG6Vs+cCkXtJRRsD/+ZA1YlIZNyHPVQkqKrdjlyzcl724YPFs/hH9
Xc/zX1POn0Kdap1OVszl+fxLzDZwNzkEHmCbmweVarDGT05MVmFpIqx7WTh8ywRT
LgSXSBtwyI3iBIYVRPntN15iBrmOmM616v1trU+8FjbbwnfdJyASmctXk26AkEU3
/iE5H5lNu6yph78cBkhNLtfXvAHqjfoc/+fEzrcV/sNRR3OclXQQtHdnNLtZJ9g=
=3Kkz
-----END PGP SIGNATURE-----

--Sig_/OG_F7+4Tfa3iRE13fpa6cuK--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160218181936.7922f0fb.ohartman>