Creating a password crypt for use in user module.
1,343 views
Skip to first unread message
Mark Maas
Nov 1, 2012, 9:42:04 AM11/1/12
to ansible...@googlegroups.com
At the risk of becoming a spammer.....
I'm looking at the github example and it mentions:
# crypt.crypt('This is my Password', '$1$SomeSalt')
password: $1$SomeSalt$UqddPX3r4kH3UL5jq5/ZI.
Could this example be explained a little more? what is crypt.crypt and I cannot just simple choose my own salt and have it work on a random servers /etc/shadow right?
A tad more insight is needed for this non-programmer (Only bash and, unfortunately, ksh) ;-)
Thanks,
Mark
Jeremiah Snapp
Nov 1, 2012, 9:56:19 AM11/1/12
to ansible...@googlegroups.com
crypt.crypt is a python function used to create a salted hash of a password. http://docs.python.org/2/library/crypt.html
Yes you can choose your own salt and have it work on other servers. The /etc/shadow password field format actually includes the salt. Hope that makes sense.
Jeremiah
--
Nigel Metheringham
Mar 6, 2013, 4:27:42 AM3/6/13
to ansible...@googlegroups.com
crucialfelix wrote:
>
> its still a bit mysterious
>
> the github example says:
>
> # created with:
> # crypt.crypt('This is my Password', '$1$SomeSalt')
> password: $1$SomeSalt$UqddPX3r4kH3UL5jq5/ZI.
So if I try that on a Centos 6 machine, then thats exactly what I get...
> password: $1$SomeSalt$UqddPX3r4kH3UL5jq5/ZI.
but run it on a Mac OS 10.8.2, then...
> but if I actually run this code I get:
>
> crypt.crypt('This is my Password', '$1$SomeSalt')
> '$15Dq6xVfTuV6'
> crypt.crypt('This is my Password', '$1$SomeSalt')
This is going to be down to the OS / libc crypt implementation - try man
3 crypt
On the Mac it appears to be an ancient and venerable DES crypt only - so
only the first 2 characters of the salt are used, and quite likely only
the first 8 characters of the password, and you get a 13 character
result (including 2 characters of salt).
Modern crypt implementations can do DES, but normally key off the first
few characters of the salt to select a crypt algorithm - $1$ is MD5
based, $2a$ is Blowfish, $5$ is SHA256, $6$ SHA512 and there is also one
for bcrypt but I don't have that around to check.
> which bears no resemblance to what is shown and suggests that something
> is wrong with the example.
Its system dependent to some degree. The vast majority of modern
systems will have a decently modern crypt. The Mac I guess has not
because they don't use that subsystem at all for its internal password
management - anyone want to see what happens if you set passwords on
accounts on a Mac using ansible??
Nigel.
--
[ Nigel Metheringham ------------------------------ ni...@dotdot.it ]
[ Ellipsis Intangible Technologies ]
Reply all
Reply to author
Forward
0 new messages