-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added password_2_hash script #463
base: master
Are you sure you want to change the base?
Conversation
The same CI failures again. |
I was on leave for a bit so sorry for the delay. |
After reading #458 and docker-library/docs#2203 I still don't understand how/where this script would be called. Bash-wise, and since it's a container environment, I would suggest you to check that command -v openssl >/dev/null || {
echo "openssl command not found"
exit 1
} I don't see a reason why Also, instead of Finally, but again, I am absolutely not sure this is a pb since I don't understand how this works, what would happen with https://mariadb.com/kb/en/authentication-plugin-ed25519/, see https://mariadb.com/kb/en/password/:
|
Did it. 👍
I used awk as I can pipe it directly into it and don't have to think about shell escaping. But I'm no expert in bash and therefore can't reason about if the parameter expansion works without problems. If I should change it to the bash parameter expansion I can do it.
This script creates hashes for the old SHA-1 based scheme. If the newer ed25519 scheme is used another script has to be created.
I had this on my mind to look into but there was no time. Upgrading this scheme would be a pretty significant security improvement as SHA-1 isn't made for password hashing. But this is unrelated to this PR as I haven't seen any efforts to transition to ed25519 and it doesn't weaken anything. |
Adding a
|
Where does the
|
Same here: ❯ bash -x password_2_hash.sh
+ set -eo pipefail
+ shopt -s nullglob
+ command -v openssl
+ command -v awk
+ test_hash mariadb '*54958E764CE10E50764C2EECBB71D01F08549980'
++ echo -n mariadb
++ hash_pw
++ openssl sha1 -binary
++ awk '{print "*"toupper($0)}'
++ openssl sha1 -hex
+ gen_hash='*(STDIN)= 54958E764CE10E50764C2EECBB71D01F08549980'
+ '[' '*(STDIN)= 54958E764CE10E50764C2EECBB71D01F08549980' '!=' '*54958E764CE10E50764C2EECBB71D01F08549980' ']'
+ exit 1 ❯ bash --version
GNU bash, version 5.1.4(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. ❯ openssl version
OpenSSL 1.1.1n 15 Mar 2022 ❯ echo test | openssl sha1 -binary | openssl sha1 -hex | awk '{print "*"toupper($0)}'
*(STDIN)= 1368D90029BDFE40A49E57F8FD348CD0BFB6D61A There is something wrong with the openssl command IMO, not sure what. |
its just removing |
The reason it worked on my MacBook is, that it uses LibreSSL and not OpenSSL. I am working on it. |
I'm using the As both work and I don't know which one is more clear. |
Seems to be it. The bash read seems to have tty handling and prompt as the
|
This won't work with LibreSSL because of the different output formats. The following works with both ssl implementations: openssl sha1 -binary | openssl sha1 -hex -r | awk -F ' ' '{print "*"toupper($1)}' The |
only openssl is in the container. What's the libressl use case? copy it out of the container and use it? |
Yes, so that the script can be used everywhere without any drawbacks. |
Would it make sense to add the execution of the script to the CI tests? If it should be done, I don't know where to put it. |
I added it as script like discussed in #458.