From owner-freebsd-current@freebsd.org Thu Feb 18 17:37:54 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7D67AAD6FF for ; Thu, 18 Feb 2016 17:37:54 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from mail.in-addr.com (mail.in-addr.com [IPv6:2a01:4f8:191:61e8::2525:2525]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AF6B5BB8; Thu, 18 Feb 2016 17:37:54 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by mail.in-addr.com with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aWSWW-0001Wc-Im; Thu, 18 Feb 2016 17:37:52 +0000 Date: Thu, 18 Feb 2016 17:37:52 +0000 From: Gary Palmer To: "O. Hartmann" Cc: Ian Lepore , RW , freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218173752.GC28757@in-addr.com> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <1455812966.1294.5.camel@freebsd.org> <20160218181122.29b8fae2.ohartman@zedat.fu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160218181122.29b8fae2.ohartman@zedat.fu-berlin.de> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Feb 2016 17:37:55 -0000 On Thu, Feb 18, 2016 at 06:11:22PM +0100, O. Hartmann wrote: > Am Thu, 18 Feb 2016 09:29:26 -0700 > Ian Lepore schrieb: > > > On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote: > > > On Thu, 18 Feb 2016 14:52:44 +0000 > > > RW wrote: > > > > > > > On Thu, 18 Feb 2016 14:16:24 +0100 > > > > O. Hartmann wrote: > > > > > > > > > Hello out there, > > > > > > > > > > I run into a problem and digging for a solution didn't work out. > > > > > > > > > > Problem: I need a string that reflects the hashed password for the > > > > > usage with > > > > > > > > > > passwd -H 0 > > > > > > > > Did you mean -h? > > > > > > no, I literally mean -H 0, I explain later ... > > > > > > > > > > > > I think the procedure is using > > > > > > > > > > sha512 -s Password > > > > > > > > > > and using this output for further processing, but how? > > > > > > > > It's not as simple as that, password hashes are usually salted and > > > > iterated. Salting means that the password is combined with a randomly > > > > generated string stored in plaintext, which means that the password > > > > doesn't hash to a fixed string. > > > > > > > > I'm not sure exactly what you are trying to do, but crypt(3) may be of > > > > help. > > > > > > I'm now down to a small C routine utilizing crypt(3). But this is not what I > > > intend to have, since I want to use tools from the FBSD base system. > > > > > > I build images of a small appliance in a secure isolated environment via > > > NanoBSD. I do not want to have passwords in the clear around here, but I also > > > do not want to type in everytime an image is created, so the idea is to have > > > passwords prepared as hashes in a local file/in variables. Therefore, I'm > > > inclined to use the option "-H 0" of the pw(1) command to provide an already > > > and clean hash (SHA512), which is then stored in /etc/master.passwd. > > > > > > It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and > > > they "generate" somehow the hashed password and store that in master.password > > > - but I didn't find any way to pipe out the writing of the password to the > > > standard output from that piece of software. Why? Security concerns I forgot to > > > consider? > > > > > > I found lots of articles and howtos to use pipes producing the required > > > password hashes via passwd, chpasswd or pw, but they all have one problem: I > > > have to provide somehow the cleartext password in an automated environment. > > > > > > Maybe there is something missing ... > > > > > > oh > > > > We use something like this at work (which I don't fully understand, but > > it works on freebsd 6.x through 10.x at least)... > > > > echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \ > > pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $* > > > > I guess for your use you'd capture and save the output of openssl so > > you could later feed it back to pw when making images. > > > > -- Ian > > The "openssl passwd -1" refers to MD5 hashes, as I understand the manpage, but I require > at least sha256. With this solution suggested, I'd have the password still stored > in cleartext somewhere - if not read -in via read or similar. > > If you snip off the openssl portion and substitute "-H0" with "-h0", then this is the way > I did before - as defined/configured in login.conf (usually in > ${IMAGE_CHROOT_DIR}/etc) SHA512 will be used as digest algorithm and the password seems > "salted", prepended by the $6$ characters. > > I'd like to have something like > > echo ${password} | openssl passwd -sha512 -stdin -salt VerySalty > > and store the result in a variable somewhere for use with > > echo ${password_salted_sha512_hash} | pw -V ${IMAGE_CHROOT_DIR}/etc usermod -n\ > ${username} -H 0 I presume you want to generate the password manually (to eliminate the storage of the cleartext password) and then store the hash in a script somewhere to be reused? How often do you need to generate new hashes? I'm wondering why you can't have a dummy user that you just change the password for when you need a new hash and then grab the crypted password out of /etc/master.passwd Thanks, Gary