Re: using {CRYPT} for rootpw, using SHA512?

[Miroslaw Baran <miroslaw@demonware.net>]

On 14 August 2014 21:05, Brian Reichert <reichert@numachi.com> wrote:

>   # python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")'
>   $6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
>
> and tried to embed this rootpw in my config file;
>
>   rootpw {CRYPT}$6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
>
> I would get bind errors.

How do you encode your random salt? SHA-512 password hash as used in
glibc crypt() implementation requires the salt be a random string
containing up to 16 characters drawn from the set [a-zA-Z0-9./]. I'm
using something like this to generate the salt (and hope for the
best):

# python code
import random
import string
from passlib.hash import sha512_crypt # on Linux systems it just uses
crypt.crypt())

def randomized_string(size=16, chars=string.letters + string.digits +
string.punctuation):
    # string.printable produces more than we can eat, unfortunately
    return ''.join(random.choice(chars) for x in range(size))

def make_pass(passwd=None):
    # generate password using crypt()'s SHA-512 method, randomized salt and
    # randomized number of rounds.
    if passwd is None:
        passwd = randomized_string(32)
    salt = randomized_string(16, ( './' + string.letters + string.digits))
    iterations = random.randint(40000, 80000)
    return '{CRYPT}' + sha512_crypt.encrypt(passwd, salt=salt,
rounds=iterations)

Works quite well with our LDAP boxes.

Best regards,
– Miroslaw Baran