What hash algorithms can I use in preseed’s passwd/user-password-crypted entry

hashsumpasswordpreseed

When it comes to passwd/user-password-crypted statement in a preseed file, most examples use an MD5 hash. Example:

# Normal user's password, either in clear text
#d-i passwd/user-password password insecure
#d-i passwd/user-password-again password insecure
# or encrypted using an MD5 hash.
#d-i passwd/user-password-crypted password [MD5 hash]

^{From Debian's Appendix B. Automating the installation using preseeding.}

A few sources show that it's also possible to use SHA-512:

Try using a hashed password like this:
$ mkpasswd -m sha-512
[…]

And then in your preseed file:
d-i passwd/user-password-crypted password $6$ONf5M3F1u$bpljc9f1SPy1w4J2br[...]

^{From Can't automate user creation with preseeding on AskUbuntu.}

This is slightly better than MD5, but still doesn't resist well against brute force and rainbow tables.

What other algorithms can I use? For instance, is PBKDF2 supported, or am I limited by the algorithms used in /etc/shadow, that is MD5, Blowfish, SHA-256 and SHA-512?

Best Answer

You can use anything which is supported in the /etc/shadow file. The string given in the preseed file is just put into /etc/shadow. To create a salted password to make it more difficult just use mkpasswd with the salt option (-S):

mkpasswd -m sha-512 -S $(pwgen -ns 16 1) mypassword
$6$bLyz7jpb8S8gOpkV$FkQSm9YZt6SaMQM7LPhjJw6DFF7uXW.3HDQO.H/HxB83AnFuOCBRhgCK9EkdjtG0AWduRcnc0fI/39BjmL8Ee1

In the command above the salt is generated by pwgen.

Related Solutions

Ssh – Can a linux user change their password without knowing the current password

Sudo, in its most common configuration, requires the user to type their password. Typically, the user already used their password to authenticate into the account, and typing the password again is a way to confirm that the legitimate user hasn't abandoned their console and been hijacked.

In your setup, the user's password would be used only for authentication to sudo. In particular, if a user's SSH key is compromised, the attacker would not be able to elevate to root privileges on the server. The attacker could plant a key logger into the account, but this key logger would be detectable by other users, and could even be watched for automatically.

A user normally needs to know their current password to change it to a different password. The passwd program verifies this (it can be configured not to, but this is not useful or at all desirable in your scenario). However, root can change any user's password without knowing the old one; hence a user with sudo powers can change his own password without entering it at the passwd prompt by running sudo passwd $USER. If sudo is configured to require the user's password, then the user must have typed the password to sudo anyway.

You can disable password authentication selectively. In your situation, you would disable password authentication in ssh, and possibly in other services. Most services on most modern unices (including Ubuntu) use PAM to configure authentication methods. On Ubuntu, the PAM configuration files live in /etc/pam.d. To disable password authentication, comment out the auth … pam_unix.so line in /etc/pam.d/common-auth. Furthermore, make sure you have PasswordAuthentication no in /etc/ssh/sshd_config to disable sshd's built-in password authentication.

You may want to allow some administrative users to log in with a password, or to allow password authentication on the console. This is possible with PAM (it's pretty flexible), but I couldn't tell you how off the top of my head; ask a separate question if you need help.

MySQLdump via crontab – Pass –password=/hashed/password/file so I can use via crontab w/o using plain text password

You have following password options:

provide the password on the command line through the -p option
provide the password via the MYSQL_PWD environment variable
put your configuration in the ~/.my.cnf file under the [mysqldump] section

In all cases your client needs a plain text password to be able to authenticate. You mentioned hashes, but the trait of a hash is that it's a one way conversion function (i.e. you won't be able to restore the original password from a hash), therefore it's unusable as the authentication token.

Since you are backing up the Wordpress database from, allegedly, the same account that hosts your Wordpress there is no security improvements of trying to hide the password from the user that runs Wordpress (the database credentials can be easily extracted from the wp-config.php file anyway).

So, I'd suggest to define the following ~/.my.cnf:

[mysqldump]
host = your_MySQL_server_name_or_IP
port = 3306
user = database_user_name
password = database_password

Then ensure that the file has the 0600 permissions. This way mysqldump does not need any database credential specified on its command line (they will be read from the ~/.my.cnf file.

Best Answer

Related Solutions

Ssh – Can a linux user change their password without knowing the current password

MySQLdump via crontab – Pass –password=/hashed/password/file so I can use via crontab w/o using plain text password

Related Question