Update mkpw

7ebf12c9 · Sven Mäder · c6d0371c · 7ebf12c9
Commit 7ebf12c9 authored 7 months ago by Sven Mäder
--- a/profile/_assets/bin/mkpw
+++ b/profile/_assets/bin/mkpw
-#!/bin/bash
+#!/usr/bin/env bash

-# File:        mkpw.sh
+# File:        mkpw
 # Author:      Sven Mäder <maeder@phys.ethz.ch>, ETH Zurich, ISG D-PHYS
-# Date:        2019-03-01
+# Date:        2024-08-29
 # Github:      https://github.com/rda0/mkpw/blob/master/mkpw.sh
 #
 # Description: Generates random secure passwords suitable for linux logins,
-#              prints out the creatext password and the corresponding
-#              `sha-512` hash. The hash includes a random salt and 10000
-#              rounds. All randomness is generated using `/dev/urandom`.
-#              Example: tty=/dev/ttyS will match all logins via a serial
-#                       console like /dev/ttyS0, /dev/ttyS1, etc.
+#              prints out the creatext password and the corresponding hash.
+#              Alternatively hashes input password.
 #
 # Requirement: `mkpasswd`, provided by the package whois, on debian based
 #              distributions run the following command to install it:
 #
 #              apt install whois
 #
-# Copyright 2017 Sven Mäder
+# Copyright 2024 Sven Mäder
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -46,33 +43,30 @@ charset_q='\\\-_~!@#$%^&*()+={}[]|;:<>,.?/a-zA-Z0-9'
 passwd_charset=${charset_g}
 # character set to use for salts (allowed charset = ./a-zA-Z0-9 )
 salt_charset='./a-zA-Z0-9'
-# hashing algorithm used (use: sha-256 | sha-512)
-hash_algorithm='sha-512'
-# maximum password length
-passwd_max_des=8
 # minimum password length not showing insecure warning
 passwd_min=12
-# salt length (sha: min=8, max=16,  md5: 8)
-salt_len_sha=16
-salt_len_md5=8
-salt_len_des=2
-# default salt len
-salt_len=${salt_len_sha}
-# number of rounds the password is hashed (min=1'000, max=999'999'999)
-rounds=10000
+# default password length
+passwd_len=32
+# default rounds (-1 == use defaults)
+rounds=-1
+# default salt_len (-1 == use defaults)
+salt_len=-1
 # possible hashing algorithms
-methods='sha-512 sha-256 md5 des'
+methods='yescrypt gost-yescrypt scrypt bcrypt bcrypt-a sha512crypt sha256crypt sunmd5 md5crypt bsdicrypt descrypt nt'
 # default method
-method='sha-512'
+method='yescrypt'
+# hash input (provide existing password to hash)
+hash_input=0
+hash_input_stdin=0

 ## loop variables
-
+# loop counter
 counter=0
+# default number of passwords to generate
 amount=1
-passwd_len=32

 print_usage() {
-  echo -e "Usage: ${0} [option] [length [amount]]"
+  echo -e "Usage: ${0} [options] [length [amount]]"
  echo -e "\n    Generates strong passwords suitable for linux logins."
  echo -e "\nOutput: <cleartext-password>   <hashed-password>"
  echo -e "\nOptions:\n"
@@ -97,12 +91,24 @@ print_usage() {
  echo "    -m, --method TYPE"
  echo "        Compute the password using the TYPE method."
  echo "        Possible values for TYPE:"
-  echo "        sha-512  SHA-512  (default)"
-  echo "        sha-256  SHA-256"
-  echo "        md5      MD5"
-  echo "        des      standard 56 bit DES-based crypt(3)"
+  echo "        yescrypt        Yescrypt  (default)"
+  echo "        gost-yescrypt   GOST Yescrypt"
+  echo "        scrypt          scrypt"
+  echo "        bcrypt          bcrypt"
+  echo '        bcrypt-a        bcrypt (obsolete $2a$ version)'
+  echo "        sha512crypt     SHA-512"
+  echo "        sha256crypt     SHA-256"
+  echo "        sunmd5          SunMD5"
+  echo "        md5crypt        MD5"
+  echo "        bsdicrypt       BSDI extended DES-based crypt(3)"
+  echo "        descrypt        standard 56 bit DES-based crypt(3)"
+  echo "        nt              NT-Hash"
  echo "    -r, --rounds ROUNDS"
-  echo "        Compute the password using ROUNDS number of rounds (default=10000)."
+  echo "        Compute the password using ROUNDS number of rounds (otherwise use default)."
+  echo "    -i, --hash-input"
+  echo "        Hash input password."
+  echo "    -s, --stdin"
+  echo "        Read input password from stdin (only with -i)."
 }

 check_opt() {
@@ -140,7 +146,7 @@ if [ "$(which mkpasswd)" != "/usr/bin/mkpasswd" ]; then
  exit 1
 fi

-if [ "$#" -lt 0 ] || [ "$#" -gt 7 ]; then
+if [ "$#" -lt 0 ] || [ "$#" -gt 9 ]; then
  print_usage
  exit 1
 fi
@@ -152,10 +158,10 @@ while [[ $# -gt 0 ]]
 do
 key="$1"

-case $key in
+case ${key} in
    -h|--help)
        print_usage
-        exit 1
+        exit 0
        ;;
    -g|--graph)
        check_opt
@@ -206,23 +212,29 @@ case $key in
        ;;
    -r|--rounds)
        valid_rounds='[0-9]'
-        if [[ ${2} =~ ${valid_rounds} ]] && [ ${2} -ge 1000 ] && [ ${2} -le 999999999 ]; then
+        if [[ "${2}" =~ ${valid_rounds} ]] && [ "${2}" -ge 0 ] && [ "${2}" -le 999999999 ]; then
            rounds=${2}
            shift
        else
            echo -e "Error: Invalid value for rounds\n" >&2
-            echo -e "Provide a numeric value between 1000 and 999999999\n" >&2
+            echo -e "Provide a numeric value between 0 and 999999999\n" >&2
            print_usage
            exit 1
        fi
        ;;
+    -i|--hash-input)
+        hash_input=1
+        ;;
+    -s|--stdin)
+        hash_input_stdin=1
+        ;;
    *)
        if [ ${num} -ge 2 ]; then
            echo -e "Error: Too many arguments\n" >&2
            print_usage
            exit 1
        fi
-        check_num ${1}
+        check_num "${1}"
        if [ ${num} -eq 0 ]; then
            passwd_len="${1}"
        fi
@@ -235,37 +247,105 @@ esac
 shift # past argument or value
 done

+# defaults for algorithms
 case ${method} in
-    sha-512)
-        salt_len=${salt_len_sha}
+    # for possible salt lengths see man crypt(5)
+    yescrypt)
+        # debian default rounds: 5
+        if [ "${rounds}" == "-1" ]; then
+            rounds=7
+        fi
        ;;
-    sha-256)
-        salt_len=${salt_len_sha}
+    sha512crypt)
+        salt_len=16
+        if [ "${rounds}" == "-1" ]; then
+            # debian default rounds: 5000
+            rounds=500000
+        fi
+        ;;
+    sha256crypt)
+        salt_len=16
+        if [ "${rounds}" == "-1" ]; then
+            rounds=500000
+        fi
        ;;
-    md5)
-        salt_len=${salt_len_md5}
+    md5crypt)
+        salt_len=8
+        rounds=-1
        ;;
-    des)
-        salt_len=${salt_len_des}
-        passwd_max=${passwd_max_des}
+    descrypt)
+        salt_len=2
+        passwd_max=8
+        rounds=-1
        ;;
 esac

+# default uses no --rounds param and defaults of mkpasswd
+rounds_param=""
+
+if [ "${rounds}" != "-1" ]; then
+    rounds_param="--rounds=${rounds}"
+fi
+
+# default uses no --salt param and defaults of mkpasswd
+salt_param=""
+
 if [ "${passwd_len}" -lt "${passwd_min}" ]; then
-  print_passwd_insecure
+    print_passwd_insecure
 fi
+
 if [ ! -z "${passwd_max}" ] && [ "${passwd_len}" -gt "${passwd_max}" ]; then
-  print_passwd_too_long
-  exit 1
+    print_passwd_too_long
+    exit 1
 fi

-hash_algorithm=${method}
+while [ "${counter}" -lt "${amount}" ]; do
+    if [ "${salt_len}" != "-1" ]; then
+        salt=$(head -c"${salt_len}" < <(LC_CTYPE=C tr -dc "${salt_charset}" < /dev/urandom))
+        salt_param="--salt=${salt}"
+    fi
+
+    if [ "${hash_input}" -eq 0 ]; then
+        # generate random password
+        passwd=$(head -c"${passwd_len}" < <(LC_CTYPE=C tr -dc "${passwd_charset}" < /dev/urandom))
+        echo -n "${passwd}"
+        echo -n '   '
+        if [ "${rounds_param}" != "" ] && [ "${salt_param}" != "" ]; then
+            echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${rounds_param}" "${salt_param}"
+        elif [ "${rounds_param}" != "" ]; then
+            echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${rounds_param}"
+        elif [ "${salt_param}" != "" ]; then
+            echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${salt_param}"
+        else
+            echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}"
+        fi
+    else
+        amount=1
+        if [ "${hash_input_stdin}" -eq 1 ]; then
+            # hash password from stdin
+            passwd=$(cat)
+            if [ "${rounds_param}" != "" ] && [ "${salt_param}" != "" ]; then
+                echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${rounds_param}" "${salt_param}"
+            elif [ "${rounds_param}" != "" ]; then
+                echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${rounds_param}"
+            elif [ "${salt_param}" != "" ]; then
+                echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}" "${salt_param}"
+            else
+                echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${method}"
+            fi
+        else
+            # hash password from user input
+            if [ "${rounds_param}" != "" ] && [ "${salt_param}" != "" ]; then
+                /usr/bin/mkpasswd -m "${method}" "${rounds_param}" "${salt_param}"
+            elif [ "${rounds_param}" != "" ]; then
+                /usr/bin/mkpasswd -m "${method}" "${rounds_param}"
+            elif [ "${salt_param}" != "" ]; then
+                /usr/bin/mkpasswd -m "${method}" "${salt_param}"
+            else
+                /usr/bin/mkpasswd -m "${method}"
+            fi
+        fi
+    fi

-while [ $counter -lt $amount ]; do
-  passwd=$(head -c"${passwd_len}" < <(LC_CTYPE=C tr -dc "${passwd_charset}" < /dev/urandom))
-  salt=$(head -c"${salt_len}" < <(LC_CTYPE=C tr -dc "${salt_charset}" < /dev/urandom))
-  echo -n "${passwd}"
-  echo -n '   '
-  echo -n "${passwd}" | /usr/bin/mkpasswd -s -m "${hash_algorithm}" -R "${rounds}" -S "${salt}"
-  let counter+=1
+    ((counter+=1))
 done