How to generate SHA512-hashed password?

F

flageo

How can I generate a SHA512-hashed password? openssl seems not to be able to do that.

Code: 
$ uname -a
FreeBSD kraken 9.2-RC3 FreeBSD 9.2-RC3 #0 r254795: Sat Aug 24 20:25:04 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

$ openssl passwd -help
Usage: passwd [options] [passwords]
where options are
-crypt             standard Unix password algorithm (default)
-1                 MD5-based password algorithm
-apr1              MD5-based password algorithm, Apache variant
-salt string       use provided salt
-in file           read passwords from file
-stdin             read passwords from stdin
-noverify          never verify when reading password from terminal
-quiet             no warnings
-table             format output as table
-reverse           switch table columns
 
flageo said:
How can I generate sha512-hashed password?

openssl seems not to be able to do that.
Click to expand...
OpenSSL can't cope, if you check the openssl(1) manual page you'll soon come across this:

Code: 
        o  Creation of RSA, DH and DSA key parameters
        o  Creation of X.509 certificates, CSRs and CRLs
So no SHA.

The solution is to use what I'd like to describe as the Unix swiss army knife: Perl. Although you should also be able to use other languages such as PHP (assumption on my part), Python or even Java, Perl has the main advantage that it's part of your base system. So every FreeBSD environment has it available. *

What you need is the crypt() function. For a basic explanation see the Perldoc page on crypt() or the perlfunc(1) manualpage.

You could use something in the likes of $ perl -e 'print crypt("password", "\$6\$salt");'.

The $6$ in the salt tells Perl to use SHA512. Unfortunately I searched high and low for an explanation on that yet can't find that anywhere. Either way, this is how you could do it.

* (Edit): This is total nonsense; Perl is built using the ports collection. I got confused because I noticed /usr/bin/perl being available without realizing that it's only a symbolic link.

Either way, I still think Perl might be the better approach here since it's commonly available.
 
Pardon two responses in a relatively short time, but I figured I'd better not edit my previous message to avoid confusion.

The crypt() function used above is based on the crypt() function as it's used in C. That's what caused my confusion since I don't really program in C myself, but in cases like these people simply rely on the already available documentation.

As mentioned above; the salt basically defines the algorithm which should be used. I knew about $1$, $2$ and $6$ because I've used those before.

But to get more information on which other strings you could use for different algorithms you simply need to check out the crypt(3) manual page (the modular crypt section).

Hope this can help too.
 
flageo said:
How can I generate a SHA512-hashed password? openssl seems not to be able to do that.
Click to expand...

$ echo "1am-a-v9Ry-str0ng-p433wOrd" | openssl dgst -sha512
Code: 
d31ee2217eeb2520c4f7fabe767b9d5bd5369532ace717d0827a78008a2a5d5f55f74d32136cc6f5620fec74f08f282d15aa41084f43a91719d8c1695b5e9070
 
Yeah, you have to keep in mind that the passwords generated by crypt(3) are in fact message digests as @rolfheinrich's message shows.
 
Last edited by a moderator:
Interesting. I did check the dgst(1) manual page but it only mentions the sha and sha1 digests, as such I assumed it wouldn't allow for anything else.

And so you learn something every day ;)
 
Note, while using SHA-512 is pretty good, it was not designed as a way to secure passwords. You didn't salt your password. Additionally, using something like bcrypt is far better as it was designed to be a password hashing algorithm, not a digesting algorithm.
 
Thank you guys.

The perl solution works fine for me. What I want to do is to get a hashed password that can be passed to pw(8). Like
Code: 
echo -n '$6$salt$hashedpassword' |\
pw useradd -n vanilla -u 1010 -s /bin/sh -m -d /home/vanilla -G vanilla -c 'vanilla user' -H 0

And the python version is;
Code: 
python -c "import crypt, getpass, pwd; print crypt.crypt('vanilla','\$6\$SALTsalt\$')"
 
You must log in or register to reply here.
Back
Top