Generate a salted hash of password for as Ignition GATEWAY_ADMIN_PASSWORD

generate-gw-password-hash.sh

#!/usr/bin/env bash
set -eo pipefail

# Global variables
declare -u AUTH_SALT

###############################################################################
# Processes password input and translates to salted hash
###############################################################################
function main() {
  local auth_pwhash auth_pwsalthash auth_password

  if [[ -t 0 && -z ${password_input+x} ]]; then
    read -rsp "Password: " password_input
    echo
  elif [[ -z ${password_input+x} ]]; then
    password_input=$(</dev/stdin)
  fi
  
  if [[ "${password_input}" =~ ^\[[0-9A-F]{8,}][0-9a-f]{64}$ ]]; then
    debug "Password is already hashed"
    auth_password="${password_input}"
  else
    debug "auth_salt is ${AUTH_SALT}"
    auth_pwhash=$(printf %s "${password_input}" | sha256sum - | cut -c -64)
    debug "auth_pwhash is ${auth_pwhash}"
    auth_pwsalthash=$(printf %s "${password_input}${AUTH_SALT}" | sha256sum - | cut -c -64)
    debug "auth_pwsalthash is ${auth_pwsalthash}"
    auth_password="[${AUTH_SALT}]${auth_pwsalthash}"
  fi

  echo "${auth_password}"
}

###############################################################################
# Outputs to stderr
###############################################################################
function debug() {
  # shellcheck disable=SC2236
  if [ ! -z ${verbose+x} ]; then
    >&2 echo "DEBUG: $*"
  fi
}

###############################################################################
# Print usage information
###############################################################################
function usage() {
  >&2 echo "Usage: $0 [-p <string>] [-e <env_var>] [-v] [-h]"
  >&2 echo "  -p <string>       Password to hash"
  >&2 echo "  -e <env_var>      Environment variable containing password to hash"
  >&2 echo "  -s <salt method>  Salt method, either 'timestamp' or 'random' (default)"
  >&2 echo "  -v                Verbose output (prints salt, password hash and salted hash)"
  >&2 echo "  -h                Print this help message"
}

# Argument Processing
while getopts ":hve:p:s:" opt; do
  case "$opt" in
  v)
    verbose=1
    ;;
  p)
    password_input=${OPTARG}
    ;;
  e)
    password_input=${!OPTARG}
    ;;
  s)
    # Compute AUTH_SALT based on timestamp or random
    case "${OPTARG}" in
      timestamp)
        AUTH_SALT=$(date +%s | sha256sum | head -c 8)
        ;;
      random)
        # no-op, default will be set below
        ;;
      *)
        usage
        echo "Invalid salt method: ${OPTARG}" >&2
        exit 1
        ;;
    esac
    ;;
  h)
    usage
    exit 0
    ;;
  \?)
    usage
    echo "Invalid option: -${OPTARG}" >&2
    exit 1
    ;;
  :)
    usage
    echo "Invalid option: -${OPTARG} requires an argument" >&2
    exit 1
    ;;
  esac
done

# set defaults for unset variables
if [[ -z ${AUTH_SALT+x} ]]; then
  AUTH_SALT=$(od -An -v -t x1 -N 4 /dev/random | tr -d ' ')
fi

# shift positional args based on number consumed by getopts
shift $((OPTIND-1))

# pre-processing done, proceed with main call
main

Minor fix with revision #3 to ensure that salt is always upper-case, otherwise it doesn't match the required pattern for a salted hash within GATEWAY_ADMIN_PASSWORD env var.

Revision #6 now adds a new -s salt method flag with the following options:

• timestamp - the previous usage of timestamp as input to salt
• random - now reads 8 hexadecimal characters from /dev/random as input to salt

The random option is the new default.

Thanks! :)