From d15e0fa262d4a3b519a167084f6eed8a96dfbcf4 Mon Sep 17 00:00:00 2001 From: provos Date: Tue, 1 Oct 2002 20:48:58 +0000 Subject: [PATCH] password hashing utility that allows des, md5 or bcrypt passwords to be created in scripts; tool originally from downsj@openbsd.org; approved by perry. --- usr.bin/passwd/pwd_gensalt.c | 8 +- usr.bin/pwhash/Makefile | 15 +++ usr.bin/pwhash/pwhash.1 | 90 ++++++++++++++ usr.bin/pwhash/pwhash.c | 234 +++++++++++++++++++++++++++++++++++ 4 files changed, 343 insertions(+), 4 deletions(-) create mode 100644 usr.bin/pwhash/Makefile create mode 100644 usr.bin/pwhash/pwhash.1 create mode 100644 usr.bin/pwhash/pwhash.c diff --git a/usr.bin/passwd/pwd_gensalt.c b/usr.bin/passwd/pwd_gensalt.c index 8231ef0b03d8..5249d089b484 100644 --- a/usr.bin/passwd/pwd_gensalt.c +++ b/usr.bin/passwd/pwd_gensalt.c @@ -1,4 +1,4 @@ -/* $NetBSD: pwd_gensalt.c,v 1.7 2002/05/28 11:19:17 itojun Exp $ */ +/* $NetBSD: pwd_gensalt.c,v 1.8 2002/10/01 20:48:58 provos Exp $ */ /* * Copyright 1997 Niels Provos @@ -34,7 +34,7 @@ #include #ifndef lint -__RCSID("$NetBSD: pwd_gensalt.c,v 1.7 2002/05/28 11:19:17 itojun Exp $"); +__RCSID("$NetBSD: pwd_gensalt.c,v 1.8 2002/10/01 20:48:58 provos Exp $"); #endif /* not lint */ #include @@ -55,7 +55,7 @@ __RCSID("$NetBSD: pwd_gensalt.c,v 1.7 2002/05/28 11:19:17 itojun Exp $"); static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; -static void to64(char *s, long v, int n); +void to64(char *s, long v, int n); int pwd_gensalt(char *salt, int max, struct passwd *pwd, char type) @@ -132,7 +132,7 @@ pwd_gensalt(char *salt, int max, struct passwd *pwd, char type) return (1); } -static void +void to64(char *s, long v, int n) { diff --git a/usr.bin/pwhash/Makefile b/usr.bin/pwhash/Makefile new file mode 100644 index 000000000000..8dc6864a5e62 --- /dev/null +++ b/usr.bin/pwhash/Makefile @@ -0,0 +1,15 @@ +# $NetBSD: Makefile,v 1.1 2002/10/01 20:48:58 provos Exp $ +# from: @(#)Makefile 8.3 (Berkeley) 4/2/94 + +.include + +PROG= pwhash +SRCS= pwhash.c pwd_gensalt.c +.PATH: ${.CURDIR}/../passwd + +CPPFLAGS+=-I${.CURDIR} -DLOGIN_CAP + +DPADD+= ${LIBCRYPT} ${LIBUTIL} +LDADD+= -lcrypt -lutil + +.include diff --git a/usr.bin/pwhash/pwhash.1 b/usr.bin/pwhash/pwhash.1 new file mode 100644 index 000000000000..c56cdadff496 --- /dev/null +++ b/usr.bin/pwhash/pwhash.1 @@ -0,0 +1,90 @@ +.\" $OpenBSD: encrypt.1,v 1.16 2000/11/09 17:52:07 aaron Exp $ +.\" +.\" Copyright (c) 1996, Jason Downs. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS +.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, +.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd May 18, 1999 +.Dt PWHASH 1 +.Os +.Sh NAME +.Nm pwhash +.Nd hashes passwords from the command line or standard input +.Sh SYNOPSIS +.Nm pwhash +.Op Fl k +.Op Fl b Ar rounds +.Op Fl m +.Op Fl s Ar salt +.Op Fl p | Ar string +.Sh DESCRIPTION +.Nm +prints the encrypted form of +.Ar string +to the standard output. +This is mostly useful for encrypting passwords from within scripts. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl k +Run in +.Nm makekey +compatible mode; a single combined key and salt are read from standard +input and the DES encrypted result is written to standard output without a +terminating newline. +.It Fl b Ar rounds +Encrypt the string using Blowfish hashing with the specified +.Ar rounds . +.It Fl m +Encrypt the string using MD5. +.It Fl p +Prompt for a single string with echo turned off. +.It Fl s Ar salt +Encrypt the string using DES, with the specified +.Ar salt . +.El +.Pp +If no +.Ar string +is specified, +.Nm +reads one string per line from standard input, encrypting each one +with the chosen algorithm from above. +In case that no specific algorithm was given as a command line option, +the algorithm specified in the default class in +.Pa /etc/passwd.conf +will be used. +.Pp +For MD5 and Blowfish a new random salt is automatically generated for each +password. +.Pp +Specifying the +.Ar string +on the command line should be discouraged; using the +standard input is more secure. +.Sh FILES +.Bl -tag -width /etc/passwd.conf -compact +.It Pa /etc/passwd.conf +.El +.Sh SEE ALSO +.Xr crypt 3 , +.Xr passwd.conf 5 diff --git a/usr.bin/pwhash/pwhash.c b/usr.bin/pwhash/pwhash.c new file mode 100644 index 000000000000..333340384be7 --- /dev/null +++ b/usr.bin/pwhash/pwhash.c @@ -0,0 +1,234 @@ +/* $OpenBSD: encrypt.c,v 1.16 2002/02/16 21:27:45 millert Exp $ */ + +/* + * Copyright (c) 1996, Jason Downs. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Very simple little program, for encrypting passwords from the command + * line. Useful for scripts and such. + */ + +#define DO_MAKEKEY 0 +#define DO_DES 1 +#define DO_MD5 2 +#define DO_BLF 3 + +extern char *__progname; +char buffer[_PASSWORD_LEN]; +void print_passwd(char *, int , void *); + +void usage(void); +char *trim(char *); + +void +usage(void) +{ + + (void)fprintf(stderr, + "usage: %s [-k] [-b rounds] [-m] [-s salt] [-p | string]\n", + __progname); + exit(1); +} + +char * +trim(char *line) +{ + char *ptr; + + for (ptr = &line[strlen(line)-1]; ptr > line; ptr--) { + if (!isspace(*ptr)) + break; + } + ptr[1] = '\0'; + + for (ptr = line; *ptr && isspace(*ptr); ptr++) + ; + + return(ptr); +} + +void +print_passwd(char *string, int operation, void *extra) +{ + char msalt[3], *salt; + struct passwd pwd; + login_cap_t *lc; + int pwd_gensalt(char *, int, struct passwd *, login_cap_t *, char); + void to64(char *, int32_t, int n); + + switch(operation) { + case DO_MAKEKEY: + /* + * makekey mode: parse string into separate DES key and salt. + */ + if (strlen(string) != 10) { + /* To be compatible... */ + errx(1, "%s", strerror(EFTYPE)); + } + strcpy(msalt, &string[8]); + salt = msalt; + break; + + case DO_MD5: + strcpy(buffer, "$1$"); + to64(&buffer[3], arc4random(), 4); + to64(&buffer[7], arc4random(), 4); + strcpy(buffer + 11, "$"); + salt = buffer; + break; + + case DO_BLF: + strlcpy(buffer, bcrypt_gensalt(*(int *)extra), _PASSWORD_LEN); + salt = buffer; + break; + + case DO_DES: + salt = extra; + break; + + default: + pwd.pw_name = "default"; + if ((lc = login_getclass(NULL)) == NULL) + errx(1, "unable to get default login class."); + if (!pwd_gensalt(buffer, _PASSWORD_LEN, &pwd, lc, 'l')) + errx(1, "can't generate salt"); + salt = buffer; + break; + } + + (void)fputs(crypt(string, salt), stdout); +} + +int +main(int argc, char **argv) +{ + int opt; + int operation = -1; + int prompt = 0; + int rounds; + void *extra; /* Store salt or number of rounds */ + + if (strcmp(__progname, "makekey") == 0) + operation = DO_MAKEKEY; + + while ((opt = getopt(argc, argv, "kmps:b:")) != -1) { + switch (opt) { + case 'k': /* Stdin/Stdout Unix crypt */ + if (operation != -1 || prompt) + usage(); + operation = DO_MAKEKEY; + break; + + case 'm': /* MD5 password hash */ + if (operation != -1) + usage(); + operation = DO_MD5; + break; + + case 'p': + if (operation == DO_MAKEKEY) + usage(); + prompt = 1; + break; + + case 's': /* Unix crypt (DES) */ + if (operation != -1 || optarg[0] == '$') + usage(); + operation = DO_DES; + extra = optarg; + break; + + case 'b': /* Blowfish password hash */ + if (operation != -1) + usage(); + operation = DO_BLF; + rounds = atoi(optarg); + extra = &rounds; + break; + + default: + usage(); + } + } + + if (((argc - optind) < 1) || operation == DO_MAKEKEY) { + char line[BUFSIZ], *string; + + if (prompt) { + string = getpass("Enter string: "); + print_passwd(string, operation, extra); + (void)fputc('\n', stdout); + } else { + /* Encrypt stdin to stdout. */ + while (!feof(stdin) && + (fgets(line, sizeof(line), stdin) != NULL)) { + /* Kill the whitesapce. */ + string = trim(line); + if (*string == '\0') + continue; + + print_passwd(string, operation, extra); + + if (operation == DO_MAKEKEY) { + fflush(stdout); + break; + } + (void)fputc('\n', stdout); + } + } + } else { + char *string; + + /* can't combine -p with a supplied string */ + if (prompt) + usage(); + + /* Perhaps it isn't worth worrying about, but... */ + if ((string = strdup(argv[optind])) == NULL) + err(1, NULL); + /* Wipe the argument. */ + memset(argv[optind], 0, strlen(argv[optind])); + + print_passwd(string, operation, extra); + + (void)fputc('\n', stdout); + + /* Wipe our copy, before we free it. */ + memset(string, 0, strlen(string)); + free(string); + } + exit(0); +}