Platform independent way of generating Linux compatible crypt(3) sha512 hashes (/etc/shadow
. Use on systems where you can't mkpasswd -m sha-512
(which gets installed from sudo apt install whois
weirdly on Ubuntu/Deb systems).
We can install Passlib in a virtual environment anywhere we can run Python from with a small script.
So Install Python by downloading or using a package manager (eg sudo apt-get install python3 python3-virtualenv -y
).
git clone https://gist.github.com/craig-m-unsw/3668f1efcfdb865556b41065a96019c3 linux-pw-hash
cd linux-pw-hash
On MacOS / Linux / WSL create a setup.sh
with:
#!/bin/bash
python3 -m venv passlib
source passlib/bin/activate
pip install --require-virtualenv --require-hashes -r requirements.txt
echo foobar123 | python3 mkpasswd.py
Then run it:
chmod +x setup.sh
./setup.sh
we can use setup.ps1
to create the venv:
<#
Name:
setup.ps1
Desc:
setup a venv for passlib
Use:
.\setup.ps1
#>
python -m venv passlib
passlib\scripts\activate.ps1
python -m pip install --upgrade pip
pip install --require-virtualenv --require-hashes -r requirements.txt
echo foobar123 | python .\mkpasswd.py
Or type the commmands above.
You do not need to provide a salt, the PassLib documentation states:
Nearly all of the hash classes passlib.hash which use a salt will automatically generate a salt, and include it as part of the hash that’s returned.
This is why the output is different each time. Ways we can run our script:
python3 mkpasswd.py
Password:
$6$rounds=656000$slVpnt4XjeGW98XH$ZcEQxxcNJRoD0HpCWqofQ2XR.wU0o6evxc1pJ3R9zf98X7emqpfJ68yakwiAT0tkGP2oW1niVpBx.vHcN7G78/
echo password | python3 mkpasswd.py
$6$rounds=656000$bh.dCEeuCT9TXeVr$0z.4Wk6/.2vtWrmyLTXhbBdFaPFMe/mOUcs36viVbzOgNueCeG0/TWHW7xPRFQIWOa1WwPd3CpbJfmL.Jsmjm.
PROCESS_TIME=1 python3 mkpasswd.py
Password:
$6$rounds=656000$cCoaCQjvTHDOAW16$RHPP3aRXRhp0BxRZvEVKbH1voWPr7vc88TTVN3WpDRetRhfFi51JiMW90yG8nlNKef288YOwXhI4F0d2hnVFc.
656000 rounds in 0.6795030000000001 seconds of cpu time
ROUNDS=1280000 PROCESS_TIME=1 python3 mkpasswd.py
Password:
$6$rounds=1280000$n7zF1lw7Cif0S4kt$vsczSPD4TF1skIQ3a0EF1YsZcJ19tcv4smOsEAlhOPceVZe9f1Djs7t55Ke55OZAcm7ZP3RLEFh9JTb7btP9Z1
1280000 rounds in 1.3317999999999999 seconds of cpu time
Inside a Docker container without network access. First turn on DCT before downloading the image:
export DOCKER_CONTENT_TRUST=1
docker build --tag mkpasswd .
docker container run --network none -it mkpasswd
If you want to verify your password and hash will match we can run verifypw.py
script:
python3 verifypw.py
Enter pass:
Enter hash: $6$rounds=1280000$n7zF1lw7Cif0S4kt$vsczSPD4TF1skIQ3a0EF1YsZcJ19tcv4smOsEAlhOPceVZe9f1Djs7t55Ke55OZAcm7ZP3RLEFh9JTb7btP9Z1
[*] try pass: password was correct
[*] try WRONG pass: password and hash do not match
From the cloud-init docs on using password hashes we find this:
# Please note: while the use of a hashed password is better than
# plain text, the use of this feature is not ideal. Also,
# using a high number of salting rounds will help, but it should
# not be relied upon.
#
# To highlight this risk, running John the Ripper against the
# example hash above, with a readily available wordlist, revealed
# the true password in 12 seconds on a i7-2620QM.
#
# In other words, this feature is a potential security risk and is
# provided for your convenience only. If you do not fully trust the
# medium over which your cloud-config will be transmitted, then you
# should use SSH authentication only.
So a passowrd hash must still be securely stored, unlike the public half of an SSH Key.
If you want to think about software supply chain security, we have:
- Your operating system vendor (Apple, Microsoft, A Linux distro)
- Docker and Docker hub
- Python project
- Pip / Pypi
- passlib project authors and hosting
- Github
- these six easily auditable text files:
- 00_README.md
- Dockerfile
- requirements.txt
- mkpasswd.py
- verifypw.py
- add-user.sh
- https://www.cyberciti.biz/faq/understanding-etcshadow-file/
- https://gist.github.com/RichardBronosky/58f1b34d2bcf4c4e5f1cd18a88fdc37d
- https://passlib.readthedocs.io/en/stable/narr/hash-tutorial.html
- https://stackoverflow.com/questions/15231661/how-do-i-create-a-user-and-set-a-password-using-ansible/17992126#17992126
- https://en.wikipedia.org/wiki/Crypt_(C)#SHA2-based_scheme
- http://www.csl.mtu.edu/cs3451/www/notes/ch6%20-%20Adding%20new%20users.pdf
- https://wiki.archlinux.org/title/SHA_password_hashes
- https://en.wikipedia.org/wiki/Digital_supply_chain_security