From owner-freebsd-current@freebsd.org Thu Feb 18 17:19:39 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B19B8AACD19 for ; Thu, 18 Feb 2016 17:19:39 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 73D9F1935; Thu, 18 Feb 2016 17:19:39 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1aWSEr-002qnH-QR>; Thu, 18 Feb 2016 18:19:37 +0100 Received: from f052131134.adsl.alicedsl.de ([78.52.131.134] helo=thor.walstatt.dynvpn.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128) (envelope-from ) id <1aWSEr-000AZT-H4>; Thu, 18 Feb 2016 18:19:37 +0100 Date: Thu, 18 Feb 2016 18:19:36 +0100 From: "O. Hartmann" To: Allan Jude Cc: freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218181936.7922f0fb.ohartman@zedat.fu-berlin.de> In-Reply-To: <56C5E933.8070502@freebsd.org> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org> Organization: FU Berlin X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/OG_F7+4Tfa3iRE13fpa6cuK"; protocol="application/pgp-signature" X-Originating-IP: 78.52.131.134 X-ZEDAT-Hint: A X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 17:19:39 -0000 --Sig_/OG_F7+4Tfa3iRE13fpa6cuK Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Am Thu, 18 Feb 2016 10:54:27 -0500 Allan Jude schrieb: > On 2016-02-18 10:29, O. Hartmann wrote: > > On Thu, 18 Feb 2016 14:52:44 +0000 > > RW wrote: > > =20 > >> On Thu, 18 Feb 2016 14:16:24 +0100 > >> O. Hartmann wrote: > >> =20 > >>> Hello out there, > >>> > >>> I run into a problem and digging for a solution didn't work out. > >>> > >>> Problem: I need a string that reflects the hashed password for the > >>> usage with=20 > >>> > >>> passwd -H 0 =20 > >> > >> Did you mean -h? =20 > >=20 > > no, I literally mean -H 0, I explain later ... > > =20 > >> =20 > >>> I think the procedure is using=20 > >>> > >>> sha512 -s Password > >>> > >>> and using this output for further processing, but how? =20 > >> > >> It's not as simple as that, password hashes are usually salted and > >> iterated. Salting means that the password is combined with a randomly > >> generated string stored in plaintext, which means that the password > >> doesn't hash to a fixed string. > >> > >> I'm not sure exactly what you are trying to do, but crypt(3) may be of > >> help. =20 > >=20 > > I'm now down to a small C routine utilizing crypt(3). But this is not w= hat I > > intend to have, since I want to use tools from the FBSD base system. > >=20 > > I build images of a small appliance in a secure isolated environment via > > NanoBSD. I do not want to have passwords in the clear around here, but = I also > > do not want to type in everytime an image is created, so the idea is to= have > > passwords prepared as hashes in a local file/in variables. Therefore, I= 'm > > inclined to use the option "-H 0" of the pw(1) command to provide an al= ready > > and clean hash (SHA512), which is then stored in /etc/master.passwd. > >=20 > > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw= ) and > > they "generate" somehow the hashed password and store that in master.pa= ssword > > - but I didn't find any way to pipe out the writing of the password to = the > > standard output from that piece of software. Why? Security concerns I f= orgot to > > consider? > >=20 > > I found lots of articles and howtos to use pipes producing the required > > password hashes via passwd, chpasswd or pw, but they all have one probl= em: I > > have to provide somehow the cleartext password in an automated environm= ent. > >=20 > > Maybe there is something missing ... > >=20 > > oh > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" > > =20 >=20 > pw is using crypt() to turn the raw password into the password hash you > see in master.passwd. >=20 > The sha512 tool cannot do this, as that is 'sha512' (designed to be as > fast as possible), and what crypt() uses is 'sha512crypt' (designed to > be purposefully slow, does 5,000 sha512s by default, but is tunable by > setting rounds=3D10000$ as a prefix to the salt when calling crypt) >=20 > crypt("mypassword", "$6$rounds=3D10000$usesomesillystri"); >=20 > Results in: >=20 > $6$rounds=3D10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOA= b0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0 >=20 > NetBSD has a command for generating hashes on the command line, pwhash(1) >=20 > I have wanted to bring something like that over for a while, but looking > at the source for pwhash I decided I'd want to start from scratch. >=20 Hallo Allen, thanks for the insight in crypt. I have no information found about crypt()'= s capability of using rounds=3Dxxxx - there is a slide-show floating around referring to= FBSD 10.x and claims, that FreeBSD doesn't have this functionality yet. The manpage for c= rypt(3) doesn't state anything. It is very hard for me to extract those information= s from the docs provided! It would be great, if someone could read about it in the man= pages - did I miss something? And yes, please, start from scratch - I'd like to see something like pwhash= () in FreeBSD ;-) Thank you very much and kind regards, oh --Sig_/OG_F7+4Tfa3iRE13fpa6cuK Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWxf0oAAoJEOgBcD7A/5N8goYIAI395lfpSn1UaQQ5ttp77P+S +2hO9nVhKU5k7q8nwv8gc2PbRNkVLOFNsLIGAyaQpyNhgfdWpN6TyLRMzZRNfCT5 6JEbActMCf/AG6Vs+cCkXtJRRsD/+ZA1YlIZNyHPVQkqKrdjlyzcl724YPFs/hH9 Xc/zX1POn0Kdap1OVszl+fxLzDZwNzkEHmCbmweVarDGT05MVmFpIqx7WTh8ywRT LgSXSBtwyI3iBIYVRPntN15iBrmOmM616v1trU+8FjbbwnfdJyASmctXk26AkEU3 /iE5H5lNu6yph78cBkhNLtfXvAHqjfoc/+fEzrcV/sNRR3OclXQQtHdnNLtZJ9g= =3Kkz -----END PGP SIGNATURE----- --Sig_/OG_F7+4Tfa3iRE13fpa6cuK--