Allan Jude <> writes:

> On 2016-02-18 10:29, O. Hartmann wrote:

>> I'm now down to a small C routine utilizing crypt(3). But this is not what I
>> intend to have, since I want to use tools from the FBSD base system.
>> I build images of a small appliance in a secure isolated environment via
>> NanoBSD. I do not want to have passwords in the clear around here, but I also
>> do not want to type in everytime an image is created, so the idea is to have
>> passwords prepared as hashes in a local file/in variables. Therefore, I'm
>> inclined to use the option "-H 0" of the pw(1) command to provide an already
>> and clean hash (SHA512), which is then stored in /etc/master.passwd.
>> It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
>> they "generate" somehow the hashed password and store that in master.password
>> - but I didn't find any way to pipe out the writing of the password to the
>> standard output from that piece of software. Why? Security concerns I forgot 
>> to
>> consider?
>> I found lots of articles and howtos to use pipes producing the required
>> password hashes via passwd, chpasswd or pw, but they all have one problem: I
>> have to provide somehow the cleartext password in an automated environment.
>> Maybe there is something missing ...
>> oh
>> _______________________________________________
> pw is using crypt() to turn the raw password into the password hash you
> see in master.passwd.
> The sha512 tool cannot do this, as that is 'sha512' (designed to be as
> fast as possible), and what crypt() uses is 'sha512crypt' (designed to
> be purposefully slow, does 5,000 sha512s by default, but is tunable by
> setting rounds=10000$ as a prefix to the salt when calling crypt)
> crypt("mypassword", "$6$rounds=10000$usesomesillystri");
> Results in:
> $6$rounds=10000$usesomesillystri$CtNyZlpTyzaFTivUi7CCBYAoRBZXxSz1qnnGOAb0tXB4irc9/ro10S1a3X2JWTNa1tsMZwIprG/H1o3TKOrDt0
> NetBSD has a command for generating hashes on the command line, pwhash(1)
> I have wanted to bring something like that over for a while, but looking
> at the source for pwhash I decided I'd want to start from scratch.

"openssl passwd", maybe?
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to