Skip to content

Instantly share code, notes, and snippets.

@bruienne

bruienne/create_osx_pbkdf2_plist.py

Created April 24, 2016 15:52
Show Gist options
  • Save bruienne/9a7ce81ea802e4bacce20c43fee09916 to your computer and use it in GitHub Desktop.
Save bruienne/9a7ce81ea802e4bacce20c43fee09916 to your computer and use it in GitHub Desktop.
Download ZIP
Create an MDM-compatible PBKDF2 hash and plist for use with AccountConfiguration
Raw
create_osx_pbkdf2_plist.py
#!/usr/bin/python
# Requires passlib: pip install passlib
from passlib.hash import pbkdf2_sha512
from passlib.util import ab64_decode
from biplist import *
# Checksum size must be 128 bytes for use as OS X password hash!
pbkdf2_sha512.checksum_size = 128
hash = pbkdf2_sha512.encrypt("password", rounds=38000, salt_size=32)
# Decode the "special" base64 encoding passlib applies and use inside the data key binary instead
outerdict = {'SALTED-SHA512-PBKDF2': {'entropy': Data(ab64_decode(hash.split('$')[4])), 'salt': Data(ab64_decode(hash.split('$')[3])), 'iterations': int(hash.split('$')[2])}}
biplist.writePlist(outerdict,'admin.plist')
@jprichards
Copy link

I had trouble running this as written (in venv) and had to change the imports to this:

from passlib.hash import pbkdf2_sha512
from passlib.utils.binary import ab64_decode
from biplist import *
import biplist

@niteshagarwal23
Copy link

Is there any equivalent library in .net for generating the MDM-compatible PBKDF2 hash for using in AccountConfiguration plist?

@niteshagarwal23
Copy link

niteshagarwal23 commented Aug 11, 2018
edited
Loading

Hi @bruienne,

As per the Apple documentation:

"The passwordHash data objects should be created on the server using the CommonCrypto libraries or equivalent as a salted SHA512 PBKDF2 dictionary containing three items: entropy is the derived key from the password hash (an example is from CCKeyDerivationPBKDF()), salt is the 32 byte randomized salt (from CCRandomCopyBytes()), and iterations contains the number of iterations (from CCCalibratePBKDF()) using a minimum hash time of 100 milliseconds (or if not known, a number in the range 20,000 to 40,000 iterations). This dictionary of the three keys should be placed into an outer dictionary under the key SALTED-SHA512-PBKDF2 and converted to binary data before being set into the configuration dictionary passwordHash key value."

Do we need to convert the SALTED-SHA512-PBKDF2 dictionary as created above into binary format or we need to pass the dict directly?
<key>passwordHash</key> <dict> <key>SALTED-SHA512-PBKDF2</key> <dict> <key>entropy</key> <data>[PBKDF2 key derivation of a supplied password]</data> <key>salt</key> <data>[32 byte randomized salt]</data> <key>iterations</key> <integer>38000</integer> </dict> </dict>

OR

<key>passwordHash</key> <data>[SALTED-SHA512-PBKDF2 dict in binary format]<data>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment