X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 65F20DC0128
	for <alpine-devel@lists.alpinelinux.org>; Sat, 29 Jun 2013 23:03:56 +0000 (UTC)
Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id B981320E2E
	for <alpine-devel@lists.alpinelinux.org>; Sat, 29 Jun 2013 19:03:55 -0400 (EDT)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute5.internal (MEProxy); Sat, 29 Jun 2013 19:03:55 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=date:from:to:subject:message-id
	:references:mime-version:content-type:in-reply-to; s=smtpout;
	 bh=BaSJ2Uu+rry4352VZNhuNnrKEeM=; b=s2vyMT+/1RHA6OlpJor9PHaY6X7X
	Y5gaxzrw0RcSIWv6qh4gZzynio7EdUqrZMfjnlaOcwN+vhBqeEfSOcHfeNrQPTww
	IlXYNTGuVGu9HdoIxpA4F1yPzLojlFRGko0Uon7v0QuF5N/V4C6njMS7vFoMXqqd
	CyTtZyqBZuT7cuE=
X-Sasl-enc: 8bnILCBZ4TFQxi3YImDJbcezr7fb5fCcoX13Gec5w2ib 1372547035
Received: from localhost (unknown [69.86.161.244])
	by mail.messagingengine.com (Postfix) with ESMTPA id 86A3C680274
	for <alpine-devel@lists.alpinelinux.org>; Sat, 29 Jun 2013 19:03:55 -0400 (EDT)
Date: Sat, 29 Jun 2013 19:03:55 -0400
From: Dubiousjim <dubiousjim@gmail.com>
To: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] Re: [PATCH 8/8] main/syslinux: hooks for
 bootloader password
Message-ID: <20130629230355.GE1776@zen>
Mail-Followup-To: alpine-devel@lists.alpinelinux.org
References: <20130628164000.GC1712@zen.nyu.edu>
 <20130629154905.GA1776@zen>
 <20130629233544.1f55a640@ncopa-laptop.res.nor.wtbts.net>
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20130629233544.1f55a640@ncopa-laptop.res.nor.wtbts.net>
User-Agent: Mutt/1.5.21 (2010-09-15)

On Sat, Jun 29, 2013 at 11:35:44PM +0200, Natanael Copa wrote:

> > 
> > Anyway, those utilities use the crypt(3) call, which on uClibc can
> > generate DES and MD5 passwords.
> 
> we patched uclibc for Alpine Linux to do sha512 by default.

Ah yes, I see: we configure uclibc's crypt to accept sha256 ($5$...) and
sha512 ($6$...). And it already does md5 ($1$...). But not sha1
($4$...).


> > syslinux honors MD5. It also honors
> > SHA1, but I think not sha256 or sha512.
> 
> after a quick look i got the impression of support for:
> 
> sha1:
> http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n20
> 
> md5:
> http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n50
> 
> sha256:
> http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n59
> 
> sha512:
> http://git.kernel.org/cgit/boot/syslinux/syslinux.git/tree/com32/menu/passwd.c#n68


Good catch. Some of their online docs only list md5 and sha1, I think.


> I would have expected mkpasswd -m sha1 to work but it doesnt. (I'm not
> too sad for that...) If syslinux supports $6$<salt>$<sha512hash> then
> mkpasswd should 'just work'. If not, then i think could backport (or
> add) sha512 support to syslinux.

Hmm, mkpasswd *seems* to work with --method=sha256 and --method=sha512.
At least, that's a reasonable guess about sha512. Whatever it outputs
for sha512 seems to be its default, and it will output the same for
--method=garbage.

I verified that python produces the same output.

$ mkpasswd --salt=salt --method=sha256 pass
$5$salt$BVuUtQaoLQNxrhdvvoTwUW5F0BihI9JdpEEgVrKrp6C
$ python -c "import crypt, getpass, pwd; print crypt.crypt('pass', '\$5\$salt\$')"
$5$salt$BVuUtQaoLQNxrhdvvoTwUW5F0BihI9JdpEEgVrKrp6C

$ mkpasswd --salt=salt --method=sha512 pass
$6$salt$3aEJgflnzWuw1O3tr0IYSmhUY0cZ7iBQeBP392T7RXjLP3TKKu3ddIapQaCpbD4p9ioeGaVIjOHaym7HvCuUm0
$ python -c "import crypt, getpass, pwd; print crypt.crypt('pass', '\$6\$salt\$')"
$6$salt$3aEJgflnzWuw1O3tr0IYSmhUY0cZ7iBQeBP392T7RXjLP3TKKu3ddIapQaCpbD4p9ioeGaVIjOHaym7HvCuUm0

Not sure how to duplicate that with openssl.

$ printf '$5$%s$%s\n' salt $(printf saltpass | openssl sha256 -binary | base64 | sed 's/=*$//')
$5$salt$nJW/kJzxe+qnpMcdhmcVZilGmamU23qqj/6gBPQllU8

is not the same result as above.

But I guess we can nevertheless rely on mkpasswd for md5, sha256, and
sha512. Haven't verified that this all works with syslinux, but I expect
it to.


-- 
Dubiousjim
dubiousjim@gmail.com


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---