In modern Linux, passwords stored in
/ etc / shadow etc. are encrypted with SHA-512. For example, in a Dockerfile, when creating a regular user inside a container, avoid having the plaintext password in the file.
RUN useradd -p 'encrypted_password' accountname
RUN echo 'accountname:encrypted_password' | chpasswd -e
I also want to set a password such as. In that case, it is necessary to encrypt the password with SHA-512 in advance, and several methods are listed.
-Generate SHA512 PASSWORD with OpenSSL -[To generate a password with salt hashed with sha512](http://april.fool.jp/blogs/2013/09/07/sha512%E3%81%A7%E3%83%8F%E3 % 83% 83% E3% 82% B7% E3% 83% A5% E3% 81% 95% E3% 82% 8C% E3% 81% 9Fsalt% E3% 81% A4% E3% 81% 8D% E3% 83 % 91% E3% 82% B9% E3% 83% AF% E3% 83% BC% E3% 83% 89% E3% 82% 92% E7% 94% 9F% E6% 88% 90% E3% 81% 99 % E3% 82% 8B% E3% 81% AB /) -How to create a SHA-512 hash password for shadows?
However, ** which of the several methods can be used seems to be very dependent on the execution environment **.
For example, depending on the version of macOS the host, the
crypt function of
perl does not support SHA-512, or ʻopenssl
supports it in the new version, butCentOS7` It seems that the standard ones are not supported, and it is necessary to use them properly depending on the case. I don't think it's possible to find and change the method one by one depending on the environment in which the image is built, so I created a script that tries several methods one by one. The file storage is as follows
The following usage is assumed.
Initial Wasward setting example
# useradd -p "$(./passwd_sha512encrypt -u worker)" worker Enter password for worker: Enter password again for check. :
Setting example for created account
# ./passwd_sha512encrypt -f -u worker | chpasswd -e Enter password for worker: Enter password again for check. :
For these examples, you would follow the prompts and type from standard input. Since the required information is different for ʻuseradd
, only the encrypted password, and for chpasswd
, the pair of account name and encrypted password, the output is switched with the -f` option.
However, I don't think I can do keyboard input many times in container builds. It is realistic to use it to store encrypted items. I also set an optional argument (
-o output-file) to output to a file. Detailed usage is below.
% ./passwd_sha512encrypt -h [Usage] % passwd_sha512encrypt [options] [username] [rawpassword] [Options] -o output : Set outputfile (default: stdout) -u username : Set username -p rawpassword : Set destenation -f : Output username:encrupted_password (Default output is encrupted_password only) -q : Skip type-miss check -v : verbose output -d : debug output -h : Show Help (this message)
Internally, search for directories contained in the environment variable
PATH in the order of ʻopenssl
(version 3 → Version 2),perl`, and then search for each directory in order. Determine if it supports SHA-512 and execute.
If none of them are supported, it will fail. in this case. ** The output file specified by the
-o option is not created **, so the behavior is different from redirecting the output of this script with a shell. Since a file of size 0 is not created, I think it is easy to stop the process by using the file dependency with