Date: Thu, 18 Feb 2016 11:20:20 -0500 From: Lowell Gilbert <freebsd-current-local@be-well.ilk.org> To: Allan Jude <allanjude@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <44d1rugfcr.fsf@be-well.ilk.org> In-Reply-To: <56C5E933.8070502@freebsd.org> (Allan Jude's message of "Thu, 18 Feb 2016 10:54:27 -0500") References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Allan Jude <allanjude@freebsd.org> writes:
> On 2016-02-18 10:29, O. Hartmann wrote:
>> I'm now down to a small C routine utilizing crypt(3). But this is not what I
>> intend to have, since I want to use tools from the FBSD base system.
>>
>> I build images of a small appliance in a secure isolated environment via
>> NanoBSD. I do not want to have passwords in the clear around here, but I also
>> do not want to type in everytime an image is created, so the idea is to have
>> passwords prepared as hashes in a local file/in variables. Therefore, I'm
>> inclined to use the option "-H 0" of the pw(1) command to provide an already
>> and clean hash (SHA512), which is then stored in /etc/master.passwd.
>>
>> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
>> they "generate" somehow the hashed password and store that in master.password
>> - but I didn't find any way to pipe out the writing of the password to the
>> standard output from that piece of software. Why? Security concerns I forgot to
>> consider?
>>
>> I found lots of articles and howtos to use pipes producing the required
>> password hashes via passwd, chpasswd or pw, but they all have one problem: I
>> have to provide somehow the cleartext password in an automated environment.
>>
>> Maybe there is something missing ...
>>
>> oh
>> _______________________________________________
>
> pw is using crypt() to turn the raw password into the password hash you
> see in master.passwd.
>
> The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> be purposefully slow, does 5,000 sha512s by default, but is tunable by
> setting rounds=10000$ as a prefix to the salt when calling crypt)
>
> crypt("mypassword", "$6$rounds=10000$usesomesillystri");
>
> Results in:
>
> $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
>
> NetBSD has a command for generating hashes on the command line, pwhash(1)
>
> I have wanted to bring something like that over for a while, but looking
> at the source for pwhash I decided I'd want to start from scratch.
"openssl passwd", maybe?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44d1rugfcr.fsf>