On 2016-02-18 10:29, O. Hartmann wrote:
> On Thu, 18 Feb 2016 14:52:44 +0000
> RW <rwmailli...@googlemail.com> wrote:
>> On Thu, 18 Feb 2016 14:16:24 +0100
>> O. Hartmann wrote:
>>> Hello out there,
>>> I run into a problem and digging for a solution didn't work out.
>>> Problem: I need a string that reflects the hashed password for the
>>> usage with 
>>> passwd -H 0  
>> Did you mean -h?
> no, I literally mean -H 0, I explain later ...
>>> I think the procedure is using 
>>> sha512 -s Password
>>> and using this output for further processing, but how?  
>> It's not as simple as that, password  hashes are usually salted and
>> iterated. Salting means that the password is combined with a randomly
>> generated string stored in plaintext, which means that the password
>> doesn't hash to a fixed string.
>> I'm not sure exactly what you are trying to do, but crypt(3) may be of
>> help.
> I'm now down to a small C routine utilizing crypt(3). But this is not what I
> intend to have, since I want to use tools from the FBSD base system.
> I build images of a small appliance in a secure isolated environment via
> NanoBSD. I do not want to have passwords in the clear around here, but I also
> do not want to type in everytime an image is created, so the idea is to have
> passwords prepared as hashes in a local file/in variables. Therefore, I'm
> inclined to use the option "-H 0" of the pw(1) command to provide an already
> and clean hash (SHA512), which is then stored in /etc/master.passwd.
> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
> they "generate" somehow the hashed password and store that in master.password
> - but I didn't find any way to pipe out the writing of the password to the
> standard output from that piece of software. Why? Security concerns I forgot 
> to
> consider?
> I found lots of articles and howtos to use pipes producing the required
> password hashes via passwd, chpasswd or pw, but they all have one problem: I
> have to provide somehow the cleartext password in an automated environment.
> Maybe there is something missing ...
> oh
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

pw is using crypt() to turn the raw password into the password hash you
see in master.passwd.

The sha512 tool cannot do this, as that is 'sha512' (designed to be as
fast as possible), and what crypt() uses is 'sha512crypt' (designed to
be purposefully slow, does 5,000 sha512s by default, but is tunable by
setting rounds=10000$ as a prefix to the salt when calling crypt)

crypt("mypassword", "$6$rounds=10000$usesomesillystri");

Results in:


NetBSD has a command for generating hashes on the command line, pwhash(1)

I have wanted to bring something like that over for a while, but looking
at the source for pwhash I decided I'd want to start from scratch.

Allan Jude

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to