Last active
May 12, 2023 11:13
-
-
Save thirdgen88/c4257bd4c47b6cc7194d1f5e7cbd6444 to your computer and use it in GitHub Desktop.
Generate a salted hash of password for as Ignition GATEWAY_ADMIN_PASSWORD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -eo pipefail | |
# Global variables | |
declare -u AUTH_SALT | |
############################################################################### | |
# Processes password input and translates to salted hash | |
############################################################################### | |
function main() { | |
local auth_pwhash auth_pwsalthash auth_password | |
if [[ -t 0 && -z ${password_input+x} ]]; then | |
read -rsp "Password: " password_input | |
echo | |
elif [[ -z ${password_input+x} ]]; then | |
password_input=$(</dev/stdin) | |
fi | |
if [[ "${password_input}" =~ ^\[[0-9A-F]{8,}][0-9a-f]{64}$ ]]; then | |
debug "Password is already hashed" | |
auth_password="${password_input}" | |
else | |
debug "auth_salt is ${AUTH_SALT}" | |
auth_pwhash=$(printf %s "${password_input}" | sha256sum - | cut -c -64) | |
debug "auth_pwhash is ${auth_pwhash}" | |
auth_pwsalthash=$(printf %s "${password_input}${AUTH_SALT}" | sha256sum - | cut -c -64) | |
debug "auth_pwsalthash is ${auth_pwsalthash}" | |
auth_password="[${AUTH_SALT}]${auth_pwsalthash}" | |
fi | |
echo "${auth_password}" | |
} | |
############################################################################### | |
# Outputs to stderr | |
############################################################################### | |
function debug() { | |
# shellcheck disable=SC2236 | |
if [ ! -z ${verbose+x} ]; then | |
>&2 echo "DEBUG: $*" | |
fi | |
} | |
############################################################################### | |
# Print usage information | |
############################################################################### | |
function usage() { | |
>&2 echo "Usage: $0 [-p <string>] [-e <env_var>] [-v] [-h]" | |
>&2 echo " -p <string> Password to hash" | |
>&2 echo " -e <env_var> Environment variable containing password to hash" | |
>&2 echo " -s <salt method> Salt method, either 'timestamp' or 'random' (default)" | |
>&2 echo " -v Verbose output (prints salt, password hash and salted hash)" | |
>&2 echo " -h Print this help message" | |
} | |
# Argument Processing | |
while getopts ":hve:p:s:" opt; do | |
case "$opt" in | |
v) | |
verbose=1 | |
;; | |
p) | |
password_input=${OPTARG} | |
;; | |
e) | |
password_input=${!OPTARG} | |
;; | |
s) | |
# Compute AUTH_SALT based on timestamp or random | |
case "${OPTARG}" in | |
timestamp) | |
AUTH_SALT=$(date +%s | sha256sum | head -c 8) | |
;; | |
random) | |
# no-op, default will be set below | |
;; | |
*) | |
usage | |
echo "Invalid salt method: ${OPTARG}" >&2 | |
exit 1 | |
;; | |
esac | |
;; | |
h) | |
usage | |
exit 0 | |
;; | |
\?) | |
usage | |
echo "Invalid option: -${OPTARG}" >&2 | |
exit 1 | |
;; | |
:) | |
usage | |
echo "Invalid option: -${OPTARG} requires an argument" >&2 | |
exit 1 | |
;; | |
esac | |
done | |
# set defaults for unset variables | |
if [[ -z ${AUTH_SALT+x} ]]; then | |
AUTH_SALT=$(od -An -v -t x1 -N 4 /dev/random | tr -d ' ') | |
fi | |
# shift positional args based on number consumed by getopts | |
shift $((OPTIND-1)) | |
# pre-processing done, proceed with main call | |
main |
Minor fix with revision #3 to ensure that salt is always upper-case, otherwise it doesn't match the required pattern for a salted hash within GATEWAY_ADMIN_PASSWORD
env var.
Revision #6 now adds a new -s
salt method flag with the following options:
timestamp
- the previous usage of timestamp as input to saltrandom
- now reads 8 hexadecimal characters from /dev/random as input to salt
The random
option is the new default.
Thanks! :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Usage Demo: https://asciinema.org/a/eSQ47eS2I3qmajGLQPyFPZlxH