I want to generate SHA512 hashed passwords for inclusion directly into a /etc/shadow file for use with chef's user resource. Normally I'd go to the stdlib's Digest
library for this, but it doesn't generate the hash in the right format:
我想生成SHA512散列密码,以便直接包含在/ etc / shadow文件中,以便与chef的用户资源一起使用。通常我会去stdlib的Digest库,但它不会以正确的格式生成哈希:
ruby-1.9.2-p136 :001 > require 'digest/sha2'
=> true
ruby-1.9.2-p136 :002 > Digest::SHA512.hexdigest('test')
=> "ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff"
The format that the shadow file wants is:
shadow文件想要的格式是:
$6$/ShPQNXV$HJnibH9lw01qtYqyJQiBf81ggJB2BGUvKA7.kv39HGCeE.gD4C/SS9zAf5BrwOv3VJzvl99FpHYli9E8jykRC0
Things I've looked at:
我看过的事情:
- The openssl "dgst" module returns the same format as .hexdigest, and its "passwd" module doesn't include SHA512 support.
- String#crypt, but that does not support SHA512. (edit: this is only the case on OSX - modern Linux distros will work if you specify "$6$somesalt" as the salt)
- ruby-crypt gem, but it does not support SHA512
openssl“dgst”模块返回与.hexdigest相同的格式,其“passwd”模块不包含SHA512支持。
String#crypt,但不支持SHA512。 (编辑:这只是OSX的情况 - 如果指定“$ 6 $ somesalt”作为盐,现代Linux发行版将起作用)
ruby-crypt gem,但它不支持SHA512
For comparison, something that does return the proper format is PHP's crypt, but I'd rather not have to exec out to PHP for something that should be simple.
为了比较,确实返回正确格式的东西是PHP的crypt,但我宁愿不必向PHP执行简单的操作。
1 个解决方案
#1
5
After further research:
经过进一步研究:
-
The mkpasswd command, which on debian is in the
whois
package (weird):mkpasswd命令,在debian上是在whois包中(很奇怪):
mkpasswd -m sha-512
mkpasswd -m sha-512
-
String#crypt does actually call the platform's native crypt() call, however OSX (up to 10.6) does not include support for alternate ciphers. "password".crypt('$6$somesalt') will work on Linux platforms.
String#crypt实际上调用平台的本机crypt()调用,但是OSX(最多10.6)不包括对备用密码的支持。 “password”.crypt('$ 6 $ somesalt')将在Linux平台上运行。
#1
5
After further research:
经过进一步研究:
-
The mkpasswd command, which on debian is in the
whois
package (weird):mkpasswd命令,在debian上是在whois包中(很奇怪):
mkpasswd -m sha-512
mkpasswd -m sha-512
-
String#crypt does actually call the platform's native crypt() call, however OSX (up to 10.6) does not include support for alternate ciphers. "password".crypt('$6$somesalt') will work on Linux platforms.
String#crypt实际上调用平台的本机crypt()调用,但是OSX(最多10.6)不包括对备用密码的支持。 “password”.crypt('$ 6 $ somesalt')将在Linux平台上运行。