Using ruby to generate SHA512 crypt-style hashes formatted for /etc/shadow?

大憨熊 提交于 2020-01-12 07:41:19

问题


I want to generate SHA512 hashed passwords for inclusion directly into a /etc/shadow file for use with chef's user resource. Normally I'd go to the stdlib's Digest library for this, but it doesn't generate the hash in the right format:

ruby-1.9.2-p136 :001 > require 'digest/sha2'
 => true 
ruby-1.9.2-p136 :002 > Digest::SHA512.hexdigest('test')
 => "ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff" 

The format that the shadow file wants is:

$6$/ShPQNXV$HJnibH9lw01qtYqyJQiBf81ggJB2BGUvKA7.kv39HGCeE.gD4C/SS9zAf5BrwOv3VJzvl99FpHYli9E8jykRC0

Things I've looked at:

  • The openssl "dgst" module returns the same format as .hexdigest, and its "passwd" module doesn't include SHA512 support.
  • String#crypt, but that does not support SHA512. (edit: this is only the case on OSX - modern Linux distros will work if you specify "$6$somesalt" as the salt)
  • ruby-crypt gem, but it does not support SHA512

For comparison, something that does return the proper format is PHP's crypt, but I'd rather not have to exec out to PHP for something that should be simple.


回答1:


After further research:

  • The mkpasswd command, which on debian is in the whois package (weird):

    mkpasswd -m sha-512

  • String#crypt does actually call the platform's native crypt() call, however OSX (up to 10.6) does not include support for alternate ciphers. "password".crypt('$6$somesalt') will work on Linux platforms.



来源:https://stackoverflow.com/questions/5171487/using-ruby-to-generate-sha512-crypt-style-hashes-formatted-for-etc-shadow

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!