Generating a crypt_sha256 hash from the CLI

When doing a completely hands off Solaris installation the System Configuration profile needs to contain the hash for the root password, and the optional inital non root user.

Unfortunately Solaris doesn't currently provide a simple to use command for generating these hashes, but with a very simple bit of Python you can easily create them:

#!/usr/bin/python

import crypt, getpass, os, binascii

if __name__ == "__main__":
    cleartext = getpass.getpass()
    salt = '$5$' + binascii.b2a_base64(os.urandom(8)).rstrip() + '$'

    print crypt.crypt(cleartext, salt)



        
    
Comments:

Another option:

$ openssl dgst -sha256 test.pl
SHA256(test.pl)= 842ca972dedf55aac6c771040d0e863eeb44fa7307ae110031bab0705be2a91c

Posted by DavidC on February 23, 2013 at 05:05 AM GMT #

DavidC actually no those are very different things. The openssl dgst command does a single pass SHA256 digest it does not generate a hash compatible with the crypt_sha256 module. The crypt_sha256 crypt(3C) plugin is must more than a single pass of SHA256 it implements this specification: http://www.akkadia.org/drepper/SHA-crypt.txt which is a complex interleaving of 5 different SHA256 digests.

Note also that a simple SHA256 is not secure as a password hash because it is unsalted and thus vulnerable to trivial rainbow table lookup.

Posted by Darren J Moffat on February 25, 2013 at 11:00 AM GMT #

Yes, after reviewing the link you posted I was waaay off base. Learn something new everyday. Thanks!

Posted by DavidC on February 26, 2013 at 03:34 AM GMT #

Are you sure the salt passed to crypt.crypt should include the leading '$5$' and trailing '$'??

Posted by Mique on November 05, 2013 at 11:19 PM GMT #

Mique, yes because this is a crypt(3C) salt, the reason for the $5$ is to ensure we use that hash algorithm. If I was writting this in C code I'd use the Solaris crypt_gensalt() function which uses the policy.conf(4) settings to determine which hash to select.

Posted by Darren J Moffat on November 11, 2013 at 12:24 PM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today