From owner-freebsd-current@freebsd.org Thu Feb 18 17:20:55 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47E9EAACDC5 for ; Thu, 18 Feb 2016 17:20:55 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 064B61A9B; Thu, 18 Feb 2016 17:20:54 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1aWSG5-002r9h-C3>; Thu, 18 Feb 2016 18:20:53 +0100 Received: from f052131134.adsl.alicedsl.de ([78.52.131.134] helo=thor.walstatt.dynvpn.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128) (envelope-from ) id <1aWSG5-000AfP-1C>; Thu, 18 Feb 2016 18:20:53 +0100 Date: Thu, 18 Feb 2016 18:20:52 +0100 From: "O. Hartmann" To: Lowell Gilbert Cc: Allan Jude , freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218182052.34f0fe46.ohartman@zedat.fu-berlin.de> In-Reply-To: <44d1rugfcr.fsf@be-well.ilk.org> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org> <44d1rugfcr.fsf@be-well.ilk.org> Organization: FU Berlin X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/sfATciowLfvSPcstOmh3ILC"; protocol="application/pgp-signature" X-Originating-IP: 78.52.131.134 X-ZEDAT-Hint: A X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 17:20:55 -0000 --Sig_/sfATciowLfvSPcstOmh3ILC Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Am Thu, 18 Feb 2016 11:20:20 -0500 Lowell Gilbert schrieb: > Allan Jude writes: >=20 > > On 2016-02-18 10:29, O. Hartmann wrote: =20 >=20 > >> I'm now down to a small C routine utilizing crypt(3). But this is not = what I > >> intend to have, since I want to use tools from the FBSD base system. > >>=20 > >> I build images of a small appliance in a secure isolated environment v= ia > >> NanoBSD. I do not want to have passwords in the clear around here, but= I also > >> do not want to type in everytime an image is created, so the idea is t= o have > >> passwords prepared as hashes in a local file/in variables. Therefore, = I'm > >> inclined to use the option "-H 0" of the pw(1) command to provide an a= lready > >> and clean hash (SHA512), which is then stored in /etc/master.passwd. > >>=20 > >> It is really funny: passwd or pw take passwords via stdin (-h 0 with p= w) and > >> they "generate" somehow the hashed password and store that in master.p= assword > >> - but I didn't find any way to pipe out the writing of the password to= the > >> standard output from that piece of software. Why? Security concerns I = forgot to > >> consider? > >>=20 > >> I found lots of articles and howtos to use pipes producing the required > >> password hashes via passwd, chpasswd or pw, but they all have one prob= lem: I > >> have to provide somehow the cleartext password in an automated environ= ment. > >>=20 > >> Maybe there is something missing ... > >>=20 > >> oh > >> _______________________________________________ =20 > > > > pw is using crypt() to turn the raw password into the password hash you > > see in master.passwd. > > > > The sha512 tool cannot do this, as that is 'sha512' (designed to be as > > fast as possible), and what crypt() uses is 'sha512crypt' (designed to > > be purposefully slow, does 5,000 sha512s by default, but is tunable by > > setting rounds=3D10000$ as a prefix to the salt when calling crypt) > > > > crypt("mypassword", "$6$rounds=3D10000$usesomesillystri"); > > > > Results in: > > > > $6$rounds=3D10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnG= OAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0 > > > > NetBSD has a command for generating hashes on the command line, pwhash(= 1) > > > > I have wanted to bring something like that over for a while, but looking > > at the source for pwhash I decided I'd want to start from scratch. =20 >=20 > "openssl passwd", maybe? As stated in an earlier response, openssl passwd has only md5 (option -1) = and ordinary crypt (-crypt) as digest, I need something more stronger, at least sha256. --Sig_/sfATciowLfvSPcstOmh3ILC Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWxf10AAoJEOgBcD7A/5N8NK0IALKebHn1jxqF8fyZt1LFtD75 kZosU7C2b8Av385+rVA5XL2ddB3/OBOoCALBpixsQhWO0ekR5Beu534eLylBcIpB 0EHPvT//spwQwkmptF6LNfDUVA51q/DCBKMTViZYQDOKJkzsU5eSpjT0DTRRpqP5 HAGLkpqgfwbbBE7DKGZom6eIHix6ed6Ng5ntsJrq10P4AnrBIDL08hBBynxPnJKM 3nsSrNE+4FER+gaYwarVBYHtT8Endbvk9gP6s9XxarfUBHVctOEsi6u8BRyjovUI Sn0rmxl4bVP3aHqpEhgAWIuIBU1aJ+DrSHJMAEJ1c5xSLEpkm813y4qI42pFlns= =NeUm -----END PGP SIGNATURE----- --Sig_/sfATciowLfvSPcstOmh3ILC--