Using ruby to generate SHA512 style hashes formatted for / etc / shadow?

Question

Using ruby to generate SHA512 style hashes formatted for / etc / shadow?

I want to generate SHA512 passwords for inclusion directly in the / etc / shadow file for use with the chef's custom resource . I usually went to the stdlib digest library for this, but it does not generate a hash in the correct format:

 ruby-1.9.2-p136 :001 > require 'digest/sha2' => true ruby-1.9.2-p136 :002 > Digest::SHA512.hexdigest('test') => "ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff"

The format that the shadow file wants to use:

 $6$/ShPQNXV$HJnibH9lw01qtYqyJQiBf81ggJB2BGUvKA7.kv39HGCeE.gD4C/SS9zAf5BrwOv3VJzvl99FpHYli9E8jykRC0

Things I looked at:

The openssl "dgst" module returns the same format as .hexdigest, and its "passwd" module does not include SHA512 support.
String # crypt, but this does not support SHA512. (editing: this is only in the case of OSX - modern Linux distributions will work if you specify "$ 6 $ somesalt" as salt)
ruby-crypt , but it does not support SHA512

For comparison, something that returns the correct format is PHP crypt , but I would prefer not to run PHP for something that should be simple.

+6

ruby passwords encryption sha crypt

Gabe Martin-Dempesy Mar 2 '11 at 18:03

source share

1 answer

Gabe Martin-Dempesy · Accepted Answer · 2011-03-02T23:18:16+0000

After further research:

The mkpasswd command, which on debian is in the whois package (weird):
mkpasswd -m sha-512
The # crypt line does indeed call native crypt (), however OSX (prior to 10.6) does not include support for alternative ciphers. "password" .crypt ("$ 6 $ somesalt") will work on Linux platforms.

Using ruby ​​to generate SHA512 style hashes formatted for / etc / shadow?

More articles:

Using ruby to generate SHA512 style hashes formatted for / etc / shadow?