Date: Thu, 18 Feb 2016 18:20:52 +0100 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: Lowell Gilbert <freebsd-current-local@be-well.ilk.org> Cc: Allan Jude <allanjude@freebsd.org>, freebsd-current@freebsd.org Subject: Re: HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0? Message-ID: <20160218182052.34f0fe46.ohartman@zedat.fu-berlin.de> In-Reply-To: <44d1rugfcr.fsf@be-well.ilk.org> References: <20160218141624.5f560f2d@freyja.zeit4.iv.bundesimmobilien.de> <20160218145244.0b1e4c94@gumby.homeunix.com> <20160218162908.4cf16f6b@freyja.zeit4.iv.bundesimmobilien.de> <56C5E933.8070502@freebsd.org> <44d1rugfcr.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/sfATciowLfvSPcstOmh3ILC
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Am Thu, 18 Feb 2016 11:20:20 -0500
Lowell Gilbert <freebsd-current-local@be-well.ilk.org> schrieb:
> Allan Jude <allanjude@freebsd.org> writes:
>=20
> > On 2016-02-18 10:29, O. Hartmann wrote: =20
>=20
> >> I'm now down to a small C routine utilizing crypt(3). But this is not =
what I
> >> intend to have, since I want to use tools from the FBSD base system.
> >>=20
> >> I build images of a small appliance in a secure isolated environment v=
ia
> >> NanoBSD. I do not want to have passwords in the clear around here, but=
I also
> >> do not want to type in everytime an image is created, so the idea is t=
o have
> >> passwords prepared as hashes in a local file/in variables. Therefore, =
I'm
> >> inclined to use the option "-H 0" of the pw(1) command to provide an a=
lready
> >> and clean hash (SHA512), which is then stored in /etc/master.passwd.
> >>=20
> >> It is really funny: passwd or pw take passwords via stdin (-h 0 with p=
w) and
> >> they "generate" somehow the hashed password and store that in master.p=
assword
> >> - but I didn't find any way to pipe out the writing of the password to=
the
> >> standard output from that piece of software. Why? Security concerns I =
forgot to
> >> consider?
> >>=20
> >> I found lots of articles and howtos to use pipes producing the required
> >> password hashes via passwd, chpasswd or pw, but they all have one prob=
lem: I
> >> have to provide somehow the cleartext password in an automated environ=
ment.
> >>=20
> >> Maybe there is something missing ...
> >>=20
> >> oh
> >> _______________________________________________ =20
> >
> > pw is using crypt() to turn the raw password into the password hash you
> > see in master.passwd.
> >
> > The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> > fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> > be purposefully slow, does 5,000 sha512s by default, but is tunable by
> > setting rounds=3D10000$ as a prefix to the salt when calling crypt)
> >
> > crypt("mypassword", "$6$rounds=3D10000$usesomesillystri");
> >
> > Results in:
> >
> > $6$rounds=3D10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnG=
OAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
> >
> > NetBSD has a command for generating hashes on the command line, pwhash(=
1)
> >
> > I have wanted to bring something like that over for a while, but looking
> > at the source for pwhash I decided I'd want to start from scratch. =20
>=20
> "openssl passwd", maybe?
As stated in an earlier response, openssl passwd has only md5 (option -1) =
and ordinary
crypt (-crypt) as digest, I need something more stronger, at least sha256.
--Sig_/sfATciowLfvSPcstOmh3ILC
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWxf10AAoJEOgBcD7A/5N8NK0IALKebHn1jxqF8fyZt1LFtD75
kZosU7C2b8Av385+rVA5XL2ddB3/OBOoCALBpixsQhWO0ekR5Beu534eLylBcIpB
0EHPvT//spwQwkmptF6LNfDUVA51q/DCBKMTViZYQDOKJkzsU5eSpjT0DTRRpqP5
HAGLkpqgfwbbBE7DKGZom6eIHix6ed6Ng5ntsJrq10P4AnrBIDL08hBBynxPnJKM
3nsSrNE+4FER+gaYwarVBYHtT8Endbvk9gP6s9XxarfUBHVctOEsi6u8BRyjovUI
Sn0rmxl4bVP3aHqpEhgAWIuIBU1aJ+DrSHJMAEJ1c5xSLEpkm813y4qI42pFlns=
=NeUm
-----END PGP SIGNATURE-----
--Sig_/sfATciowLfvSPcstOmh3ILC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160218182052.34f0fe46.ohartman>