Skip to content

Instantly share code, notes, and snippets.

@thirdgen88
Last active May 12, 2023 11:13
Show Gist options
  • Save thirdgen88/c4257bd4c47b6cc7194d1f5e7cbd6444 to your computer and use it in GitHub Desktop.
Save thirdgen88/c4257bd4c47b6cc7194d1f5e7cbd6444 to your computer and use it in GitHub Desktop.
Generate a salted hash of password for as Ignition GATEWAY_ADMIN_PASSWORD
#!/usr/bin/env bash
set -eo pipefail
# Global variables
declare -u AUTH_SALT
###############################################################################
# Processes password input and translates to salted hash
###############################################################################
function main() {
local auth_pwhash auth_pwsalthash auth_password
if [[ -t 0 && -z ${password_input+x} ]]; then
read -rsp "Password: " password_input
echo
elif [[ -z ${password_input+x} ]]; then
password_input=$(</dev/stdin)
fi
if [[ "${password_input}" =~ ^\[[0-9A-F]{8,}][0-9a-f]{64}$ ]]; then
debug "Password is already hashed"
auth_password="${password_input}"
else
debug "auth_salt is ${AUTH_SALT}"
auth_pwhash=$(printf %s "${password_input}" | sha256sum - | cut -c -64)
debug "auth_pwhash is ${auth_pwhash}"
auth_pwsalthash=$(printf %s "${password_input}${AUTH_SALT}" | sha256sum - | cut -c -64)
debug "auth_pwsalthash is ${auth_pwsalthash}"
auth_password="[${AUTH_SALT}]${auth_pwsalthash}"
fi
echo "${auth_password}"
}
###############################################################################
# Outputs to stderr
###############################################################################
function debug() {
# shellcheck disable=SC2236
if [ ! -z ${verbose+x} ]; then
>&2 echo "DEBUG: $*"
fi
}
###############################################################################
# Print usage information
###############################################################################
function usage() {
>&2 echo "Usage: $0 [-p <string>] [-e <env_var>] [-v] [-h]"
>&2 echo " -p <string> Password to hash"
>&2 echo " -e <env_var> Environment variable containing password to hash"
>&2 echo " -s <salt method> Salt method, either 'timestamp' or 'random' (default)"
>&2 echo " -v Verbose output (prints salt, password hash and salted hash)"
>&2 echo " -h Print this help message"
}
# Argument Processing
while getopts ":hve:p:s:" opt; do
case "$opt" in
v)
verbose=1
;;
p)
password_input=${OPTARG}
;;
e)
password_input=${!OPTARG}
;;
s)
# Compute AUTH_SALT based on timestamp or random
case "${OPTARG}" in
timestamp)
AUTH_SALT=$(date +%s | sha256sum | head -c 8)
;;
random)
# no-op, default will be set below
;;
*)
usage
echo "Invalid salt method: ${OPTARG}" >&2
exit 1
;;
esac
;;
h)
usage
exit 0
;;
\?)
usage
echo "Invalid option: -${OPTARG}" >&2
exit 1
;;
:)
usage
echo "Invalid option: -${OPTARG} requires an argument" >&2
exit 1
;;
esac
done
# set defaults for unset variables
if [[ -z ${AUTH_SALT+x} ]]; then
AUTH_SALT=$(od -An -v -t x1 -N 4 /dev/random | tr -d ' ')
fi
# shift positional args based on number consumed by getopts
shift $((OPTIND-1))
# pre-processing done, proceed with main call
main
@thirdgen88
Copy link
Author

thirdgen88 commented Jun 29, 2022

@thirdgen88
Copy link
Author

Minor fix with revision #3 to ensure that salt is always upper-case, otherwise it doesn't match the required pattern for a salted hash within GATEWAY_ADMIN_PASSWORD env var.

@thirdgen88
Copy link
Author

Revision #6 now adds a new -s salt method flag with the following options:

  • timestamp - the previous usage of timestamp as input to salt
  • random - now reads 8 hexadecimal characters from /dev/random as input to salt

The random option is the new default.

@francescop75
Copy link

Thanks! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment