On 14 August 2014 21:05, Brian Reichert reichert@numachi.com wrote:
# python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")' $6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
and tried to embed this rootpw in my config file;
rootpw {CRYPT}$6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10
I would get bind errors.
How do you encode your random salt? SHA-512 password hash as used in glibc crypt() implementation requires the salt be a random string containing up to 16 characters drawn from the set [a-zA-Z0-9./]. I'm using something like this to generate the salt (and hope for the best):
# python code import random import string from passlib.hash import sha512_crypt # on Linux systems it just uses crypt.crypt())
def randomized_string(size=16, chars=string.letters + string.digits + string.punctuation): # string.printable produces more than we can eat, unfortunately return ''.join(random.choice(chars) for x in range(size))
def make_pass(passwd=None): # generate password using crypt()'s SHA-512 method, randomized salt and # randomized number of rounds. if passwd is None: passwd = randomized_string(32) salt = randomized_string(16, ( './' + string.letters + string.digits)) iterations = random.randint(40000, 80000) return '{CRYPT}' + sha512_crypt.encrypt(passwd, salt=salt, rounds=iterations)
Works quite well with our LDAP boxes.
Best regards, – Miroslaw Baran