Date: Thu, 18 Feb 2016 18:20:52 +0100 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: Lowell Gilbert <freebsd-current-local@be-well.ilk.org> Cc: Allan Jude <allanjude@freebsd.org>, freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218182052.34f0fe46.ohartman@zedat.fu-berlin.de> In-Reply-To: <44d1rugfcr.fsf@be-well.ilk.org> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org> <44d1rugfcr.fsf@be-well.ilk.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Am Thu, 18 Feb 2016 11:20:20 -0500
Lowell Gilbert <freebsd-current-local@be-well.ilk.org> schrieb:
> Allan Jude <allanjude@freebsd.org> writes:
>
> > On 2016-02-18 10:29, O. Hartmann wrote:
>
> >> I'm now down to a small C routine utilizing crypt(3). But this is not what I
> >> intend to have, since I want to use tools from the FBSD base system.
> >>
> >> I build images of a small appliance in a secure isolated environment via
> >> NanoBSD. I do not want to have passwords in the clear around here, but I also
> >> do not want to type in everytime an image is created, so the idea is to have
> >> passwords prepared as hashes in a local file/in variables. Therefore, I'm
> >> inclined to use the option "-H 0" of the pw(1) command to provide an already
> >> and clean hash (SHA512), which is then stored in /etc/master.passwd.
> >>
> >> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
> >> they "generate" somehow the hashed password and store that in master.password
> >> - but I didn't find any way to pipe out the writing of the password to the
> >> standard output from that piece of software. Why? Security concerns I forgot to
> >> consider?
> >>
> >> I found lots of articles and howtos to use pipes producing the required
> >> password hashes via passwd, chpasswd or pw, but they all have one problem: I
> >> have to provide somehow the cleartext password in an automated environment.
> >>
> >> Maybe there is something missing ...
> >>
> >> oh
> >> _______________________________________________
> >
> > pw is using crypt() to turn the raw password into the password hash you
> > see in master.passwd.
> >
> > The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> > fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> > be purposefully slow, does 5,000 sha512s by default, but is tunable by
> > setting rounds=10000$ as a prefix to the salt when calling crypt)
> >
> > crypt("mypassword", "$6$rounds=10000$usesomesillystri");
> >
> > Results in:
> >
> > $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
> >
> > NetBSD has a command for generating hashes on the command line, pwhash(1)
> >
> > I have wanted to bring something like that over for a while, but looking
> > at the source for pwhash I decided I'd want to start from scratch.
>
> "openssl passwd", maybe?
As stated in an earlier response, openssl passwd has only md5 (option -1) and ordinary
crypt (-crypt) as digest, I need something more stronger, at least sha256.
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWxf10AAoJEOgBcD7A/5N8NK0IALKebHn1jxqF8fyZt1LFtD75
kZosU7C2b8Av385+rVA5XL2ddB3/OBOoCALBpixsQhWO0ekR5Beu534eLylBcIpB
0EHPvT//spwQwkmptF6LNfDUVA51q/DCBKMTViZYQDOKJkzsU5eSpjT0DTRRpqP5
HAGLkpqgfwbbBE7DKGZom6eIHix6ed6Ng5ntsJrq10P4AnrBIDL08hBBynxPnJKM
3nsSrNE+4FER+gaYwarVBYHtT8Endbvk9gP6s9XxarfUBHVctOEsi6u8BRyjovUI
Sn0rmxl4bVP3aHqpEhgAWIuIBU1aJ+DrSHJMAEJ1c5xSLEpkm813y4qI42pFlns=
=NeUm
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160218182052.34f0fe46.ohartman>