Date: Thu, 18 Feb 2016 21:41:06 +0100 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: Gary Palmer <gpalmer@freebsd.org> Cc: Ian Lepore <ian@freebsd.org>, RW <rwmaillists@googlemail.com>, freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218214106.05de26f4.ohartman@zedat.fu-berlin.de> In-Reply-To: <20160218173752.GC28757@in-addr.com> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <1455812966.1294.5.camel@freebsd.org> <20160218181122.29b8fae2.ohartman@zedat.fu-berlin.de> <20160218173752.GC28757@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/LaI=9lcrup+kZIR31Z9oe1j
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Am Thu, 18 Feb 2016 17:37:52 +0000
Gary Palmer <gpalmer@freebsd.org> schrieb:
> On Thu, Feb 18, 2016 at 06:11:22PM +0100, O. Hartmann wrote:
> > Am Thu, 18 Feb 2016 09:29:26 -0700
> > Ian Lepore <ian@freebsd.org> schrieb:
> > =20
> > > On Thu, 2016-02-18 at 16:29 +0100, O. Hartmann wrote: =20
> > > > On Thu, 18 Feb 2016 14:52:44 +0000
> > > > RW <rwmaillists@googlemail.com> wrote:
> > > > =20
> > > > > On Thu, 18 Feb 2016 14:16:24 +0100
> > > > > O. Hartmann wrote:
> > > > > =20
> > > > > > Hello out there,
> > > > > >=20
> > > > > > I run into a problem and digging for a solution didn't work out.
> > > > > >=20
> > > > > > Problem: I need a string that reflects the hashed password for =
the
> > > > > > usage with=20
> > > > > >=20
> > > > > > passwd -H 0 =20
> > > > >=20
> > > > > Did you mean -h? =20
> > > >=20
> > > > no, I literally mean -H 0, I explain later ...
> > > > =20
> > > > > =20
> > > > > > I think the procedure is using=20
> > > > > >=20
> > > > > > sha512 -s Password
> > > > > >=20
> > > > > > and using this output for further processing, but how? =20
> > > > >=20
> > > > > It's not as simple as that, password hashes are usually salted a=
nd
> > > > > iterated. Salting means that the password is combined with a rand=
omly
> > > > > generated string stored in plaintext, which means that the passwo=
rd
> > > > > doesn't hash to a fixed string.
> > > > >=20
> > > > > I'm not sure exactly what you are trying to do, but crypt(3) may =
be of
> > > > > help. =20
> > > >=20
> > > > I'm now down to a small C routine utilizing crypt(3). But this is n=
ot what I
> > > > intend to have, since I want to use tools from the FBSD base system.
> > > >=20
> > > > I build images of a small appliance in a secure isolated environmen=
t via
> > > > NanoBSD. I do not want to have passwords in the clear around here, =
but I also
> > > > do not want to type in everytime an image is created, so the idea i=
s to have
> > > > passwords prepared as hashes in a local file/in variables. Therefor=
e, I'm
> > > > inclined to use the option "-H 0" of the pw(1) command to provide a=
n already
> > > > and clean hash (SHA512), which is then stored in /etc/master.passwd.
> > > >=20
> > > > It is really funny: passwd or pw take passwords via stdin (-h 0 wit=
h pw) and
> > > > they "generate" somehow the hashed password and store that in maste=
r.password
> > > > - but I didn't find any way to pipe out the writing of the password=
to the
> > > > standard output from that piece of software. Why? Security concerns=
I forgot to
> > > > consider?
> > > >=20
> > > > I found lots of articles and howtos to use pipes producing the requ=
ired
> > > > password hashes via passwd, chpasswd or pw, but they all have one p=
roblem: I
> > > > have to provide somehow the cleartext password in an automated envi=
ronment.
> > > >=20
> > > > Maybe there is something missing ...
> > > >=20
> > > > oh =20
> > >=20
> > > We use something like this at work (which I don't fully understand, b=
ut
> > > it works on freebsd 6.x through 10.x at least)...
> > >=20
> > > echo ${password} | openssl passwd -1 -stdin -salt VerySalty | \
> > > pw -V ${IMAGE_CHROOT_DIR}/etc useradd -n ${username} -H0 $*
> > >=20
> > > I guess for your use you'd capture and save the output of openssl so
> > > you could later feed it back to pw when making images.
> > >=20
> > > -- Ian =20
> >=20
> > The "openssl passwd -1" refers to MD5 hashes, as I understand the manpa=
ge, but I
> > require at least sha256. With this solution suggested, I'd have the pas=
sword still
> > stored in cleartext somewhere - if not read -in via read or similar.
> >=20
> > If you snip off the openssl portion and substitute "-H0" with "-h0", th=
en this is the
> > way I did before - as defined/configured in login.conf (usually in
> > ${IMAGE_CHROOT_DIR}/etc) SHA512 will be used as digest algorithm and th=
e password
> > seems "salted", prepended by the $6$ characters.
> >=20
> > I'd like to have something like
> >=20
> > echo ${password} | openssl passwd -sha512 -stdin -salt VerySalty
> >=20
> > and store the result in a variable somewhere for use with
> >=20
> > echo ${password_salted_sha512_hash} | pw -V ${IMAGE_CHROOT_DIR}/etc use=
rmod -n\
> > ${username} -H 0 =20
>=20
> I presume you want to generate the password manually (to eliminate the
> storage of the cleartext password) and then store the hash in a script
> somewhere to be reused? How often do you need to generate new hashes?
Quite often - weekly and the images are numerous. The problem is that I mad=
e in the
initial phase mistakes - lack of concentration et cetera and several passwo=
rds were then
worng and the images wrecked (CD/DVD).
=20
>=20
> I'm wondering why you can't have a dummy user that you just change the
> password for when you need a new hash and then grab the crypted password
> out of /etc/master.passwd
Well, this idea has also come to my mind - but the efford would be more (sc=
ripts to
extract ...) and, on the other hand, it's quite non-academic! I'd like a cl=
ean solution.
passwd() somehow results in such a hash - but passwd writes its hash into a=
file, no
chance so far to pipe the hash out. As Allen Jude already wrote - OpenBSD d=
oes have the
desired tool and it seems to me that there is need - in security areas, wer=
e OpenBSD has
its domain.
>=20
> Thanks,
>=20
> Gary
--Sig_/LaI=9lcrup+kZIR31Z9oe1j
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWxixjAAoJEOgBcD7A/5N8+8QIALkHuyaodcakRVuDdHeHKMFr
AsFMYtebd3KrmjWPBUJWyTHNhPq5otafIISR3bY4/GY7e8rEvd/kLjjS3XRWl7bW
22g5Bi9LKwvQV98hlnWU5giy6IsgXfXwORlMEWdXVe+xSTrkmU59GcOtMkv+k0gQ
buKE6eQsD0KYRxqmAxJSdnuK5/fI3sUaZt/0AgHJyj1YdKdb5oAoPuWrV9m1ecBq
dfICVxyeHVjl8to9mpu2ggcYJ3kP6X4WlHXuu2n2uTIyb5HHQ5sV1Ek/Hwtc+yVb
16QKFG6jiSvhAXko1+aA4euL0wQuYQelA67ALW7eAq6V11we91zXC7d18/nlh7M=
=DrO8
-----END PGP SIGNATURE-----
--Sig_/LaI=9lcrup+kZIR31Z9oe1j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160218214106.05de26f4.ohartman>