[xen-tools-dev] [PATCH 07/17] Encrypt root password with sha256 by default.

Stéphane Jourdois sjourdois at gmail.com
Sun Jul 25 14:12:39 CEST 2010 

- Use perl crypt with some magic rather than openssl to hash root
password, either generated or provided by user.
- Remove the undocumented dependency on openssl.
- Add a hash_method option to configure the hashing algorithm.
- Permit md5, sha256 and sha512, and use sha256 as default.
- Remove TODO entry about "more random" passwords.
- Remove an ugly system() call.
---
 TODO                 |    6 ------
 bin/xen-create-image |   37 +++++++++++++++++++++++++++++++++----
 etc/xen-tools.conf   |    8 ++++++++
 3 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/TODO b/TODO
index a244ab3..47d9ee7 100644
--- a/TODO
+++ b/TODO
@@ -61,12 +61,6 @@ Maybe for a 4.3 or 5.0 release
    install Can't remove open logical volume "acromantula-domu1-disk"
    this should be a matter of unmounting the mounted volume from /tmp.
 
-* Create "more random" passwords and salts
-
-   Currently passwords are using the passwd function of OpenSSL which
-   at the moment can only generate md5 hashes. The passwords can
-   still be made quite strong though.
-
 * Generic grub support
 
    This will generate a much nicer menu.lst as a side effect, as its
diff --git a/bin/xen-create-image b/bin/xen-create-image
index 6f961cf..576fb1a 100755
--- a/bin/xen-create-image
+++ b/bin/xen-create-image
@@ -114,6 +114,10 @@ xen-create-image - Easily create new Xen instances with networking and OpenSSH.
    --password=passphrase
                 Set the root password for the new guest.
 
+   --hash_method=algorithm
+                Override the default hashing method of sha256 and use the
+                provided algorithm. Can be : md5, sha256 or sha512
+
    --passwd     Ask for a root password interactively during setup.
                 NOTE:  This overrides --genpass --password
 
@@ -1381,6 +1385,7 @@ sub setupDefaultOptions
     $CONFIG{ 'genpass' }     = 1;
     $CONFIG{ 'genpass_len' } = 8;
     $CONFIG{ 'password' }    = '';
+    $CONFIG{ 'hash_method' } = 'sha256';
 
     #
     #  The program to run to create a filesystem.
@@ -1575,6 +1580,10 @@ sub checkOption
             check   => qr/^(?:[0-9a-f]{2}:){5}[0-9a-f]{2}$/i,
             message => "must be a valid ethernet mac address.\n",
         },
+        hashMethod => {
+            check   => qr/^md5|sha256|sha512$/i,
+            message => "must be md5, sha256 or sha512.\n",
+        },
     );
 
     # Define what argument each option accepts.
@@ -1608,6 +1617,7 @@ sub checkOption
         extension     => 'filename',
         mac           => 'mac',
         ip            => 'ipv4',
+        hash_method   => 'hashMethod',
     );
 
     # If given option does not exists in optionsTypes,
@@ -1737,6 +1747,7 @@ sub parseCommandLineArguments
             "genpass-len=i", \&checkOption,
             "genpass_len=i", \&checkOption,
             "password=s",   \&checkOption,
+            "hash_method=s",\&checkOption,
             "partitions=s", \&checkOption,
             "role=s",       \&checkOption,
             "role-args=s",  \&checkOption,
@@ -3964,9 +3975,28 @@ sub setupRootPassword
             {
                 $PASSWORD = $CONFIG { 'password' };
             }
+
             my $salt = generatePassword(8);
-            my $hash = `echo -n $PASSWORD | openssl passwd -stdin -1 -salt $salt`;
-            $hash =~ s/\s+$//;
+
+            my $hash_method;
+            if ($CONFIG{ 'hash_method' } eq 'md5')
+            {
+                $hash_method = '$1$';
+            }
+            elsif ($CONFIG{ 'hash_method' } eq 'sha256')
+            {
+                $hash_method = '$5$';
+            }
+            elsif ($CONFIG{ 'hash_method' } eq 'sha512')
+            {
+                $hash_method = '$6$';
+            }
+            else
+            {
+                die "oops... unknown hashing method, should not happen!";
+            }
+
+            my $hash = crypt($PASSWORD, $hash_method . $salt);
 
             #
             #  Copy the file to ensure the original retains the correct
@@ -3979,9 +4009,8 @@ sub setupRootPassword
             my $line;
             while(defined($line = <TMP>))
             {
-                chomp $line;
                 $line =~ s#^root:[^:]*:#root:$hash:#;
-                print SHADOW "$line\n";
+                print SHADOW $line;
             }
 
             #
diff --git a/etc/xen-tools.conf b/etc/xen-tools.conf
index 4553455..0b9f197 100644
--- a/etc/xen-tools.conf
+++ b/etc/xen-tools.conf
@@ -219,6 +219,14 @@ image  = sparse   # Specify sparse vs. full disk images.
 #
 
 #
+# You can yet change the hashing method to encrypt the generated
+# password by changing the line below.
+# Valid values : md5, sha256 and sha512.
+#
+# hash_method = sha256
+#
+
+#
 # Alternatively, Uncomment the following line if you wish to
 # interactively setup a new root password for images.
 #
-- 
1.7.2

More information about the xen-tools-dev mailing list