HELP: Howtwo create a passwd-suitable hash for usage with psswd -H 0?

O. Hartmann ohartman at zedat.fu-berlin.de
Thu Feb 18 15:29:18 UTC 2016 

On Thu, 18 Feb 2016 14:52:44 +0000
RW <rwmaillists at googlemail.com> wrote:

> On Thu, 18 Feb 2016 14:16:24 +0100
> O. Hartmann wrote:
> 
> > Hello out there,
> > 
> > I run into a problem and digging for a solution didn't work out.
> > 
> > Problem: I need a string that reflects the hashed password for the
> > usage with 
> > 
> > passwd -H 0  
> 
> Did you mean -h?

no, I literally mean -H 0, I explain later ...

> 
> > I think the procedure is using 
> > 
> > sha512 -s Password
> > 
> > and using this output for further processing, but how?  
> 
> It's not as simple as that, password  hashes are usually salted and
> iterated. Salting means that the password is combined with a randomly
> generated string stored in plaintext, which means that the password
> doesn't hash to a fixed string.
> 
> I'm not sure exactly what you are trying to do, but crypt(3) may be of
> help.

I'm now down to a small C routine utilizing crypt(3). But this is not what I
intend to have, since I want to use tools from the FBSD base system.

I build images of a small appliance in a secure isolated environment via
NanoBSD. I do not want to have passwords in the clear around here, but I also
do not want to type in everytime an image is created, so the idea is to have
passwords prepared as hashes in a local file/in variables. Therefore, I'm
inclined to use the option "-H 0" of the pw(1) command to provide an already
and clean hash (SHA512), which is then stored in /etc/master.passwd.

It is really funny: passwd or pw take passwords via stdin (-h 0 with pw) and
they "generate" somehow the hashed password and store that in master.password
- but I didn't find any way to pipe out the writing of the password to the
standard output from that piece of software. Why? Security concerns I forgot to
consider?

I found lots of articles and howtos to use pipes producing the required
password hashes via passwd, chpasswd or pw, but they all have one problem: I
have to provide somehow the cleartext password in an automated environment.

Maybe there is something missing ...

oh

More information about the freebsd-current mailing list