I want to create a new user with a random password on debian 7 with fabric.
The fabfile looks like this:
import hashlib
import string
import random
def new_user(user):
passwd = random_pass()
passwd_sha512 = "%s" % hashlib.sha512(passwd).hexdigest()
sudo("useradd %s --password %s" % (user, passwd_sha512))
def random_pass(size=30, chars=string.ascii_letters + string.punctuation):
return ''.join(random.choice(chars) for x in range(size))
Whats wrong here? Blocksize? The type of encryption ($6$ for sha512) is also missing in /etc/shadow.
I tried to add it to the parameter with --password $6$%s.
Can someone point me to the right direction?
You might find the crypt module better suited to calculating the encrypted password.
your password might contain "weird" characters, that will make the actual cmd-string not what you expect. you might have more success using subprocess.call (with string-arrays) rather than a single string.
import subprocess
subprocess.call(['sudo',
'useradd',
'--password', passwd_sha512,
user])
Related
i need to repeat a cmd which always generated a new random string, after that i need to make sure that this specific string has not been generated before. I never did while loops before and im not able to figure out how to repate the cmd until a result has been found which is not already part of the database. I can't be to specific as this source is closed
all this is packed into a celery task
tasks.py
#app.task
def allocate_new_string(user_pk):
user = User.objects.get(pk=user_pk)
new_string = subprocess.Popen("$get_new_string_cmd", shell=True, stdout=subprocess.PIPE).communicate()[
0].decode('utf-8').strip()
try:
while True:
if Used_String.objects.filter(string=new_string, atom=0).exists():
new_string << how to repeat the command from above here until a new random string has been found?
else:
used_string = Used_String.objects.create(user=user, string=new_string, atom=0)
used_string.save()
logger.info(str("New String has been set)
except:
logger.info(str("Something went wrong while processing the task"))
The function i want to have here is: Search for a none existing sting until one has found that has never been generated before or is at least not part of the database.
the cmd im using isn't openSSL or something like that and it's quite likly that i hit two times the same random generated string.
Thanks in advance
Slight change.
#app.task
def allocate_new_string(user_pk):
user = User.objects.get(pk=user_pk)
try:
Found = True
while Found:
new_string = subprocess.Popen("$get_new_string_cmd", shell=True, stdout=subprocess.PIPE).communicate()[
0].decode('utf-8').strip()
if Used_String.objects.filter(string=new_string, atom=0).exists():
Found = True
else:
used_string = Used_String.objects.create(user=user, string=new_string, atom=0)
used_string.save()
logger.info(str("New String has been set"))
Found = False
except:
logger.info(str("Something went wrong while processing the task"))
I have not tested it but should work. Please try it out and let me know.
I am using below code for encrypting password.
from passlib.context import CryptContext
pwd_context = CryptContext(
schemes=["pbkdf2_sha256"],
default="pbkdf2_sha256",
pbkdf2_sha256__default_rounds=30000
)
def encrypt_password(password):
return pwd_context.encrypt(password)
def check_encrypted_password(password, hashed):
return pwd_context.verify(password, hashed)
When I call encrypt_password('password') function it will encrypt my password into hash value and give me output as follow..
'$pbkdf2-sha256$30000$X6vVGgNgzFmrlVIq5RyjVA$VGQ5x.yuabpdNMDMNc1S3/umqXMl3605DyjJ/lgXAM0'
The output of encypted password hashed value is too long value. I want to get output in fixed sized like "30 characters or 40 characters". How to get fix sized output.? Can anyone help me to understand this.
Thank You !
I have a school assignment which consists of me having to crack a unix password file, the passwords were created using SHA-512,
I'm using python3, to write my password cracking script, which goes through a password file, adds the salt and compares each password until the hash is found.
Here is my code:
#!/usr/bin/env python3
import crypt
passFile = open('passwords.txt', 'r')
salt_MD5 = []
hash_MD5 = []
salt_SHA512 = []
hash_SHA512 = []
for line in passFile:
if "$6$" in line:
temp1 = line.split(":")
temp1 = temp1[1]
salt_SHA512.append(temp1[:11])
hash_SHA512.append(temp1)
if "$1$" in line:
temp1 = line.split(":")
temp1 = temp1[1]
salt_MD5.append(temp1[:11])
hash_MD5.append(temp1)
print(salt_MD5, hash_MD5)
print(salt_SHA512, hash_SHA512)
crackStation = open('1000000passwords.txt', 'r')
print("Searching for the password...")
counter = 0
for index in crackStation:
counter += 1
hashed_value_1 = crypt.crypt(index, salt_MD5[0])
hashed_value_2 = crypt.crypt(index, salt_MD5[1])
hashed_value512_1 = crypt.crypt(index, salt_SHA512[0])
hashed_value512_2 = crypt.crypt(index, salt_SHA512[1])
if counter % 50000 == 0:
print("Counter is at: " + str(counter) + " Left to iterate = " + str(1000000-counter))
# if hashed_value_1 == hash_MD5[0]:
# password_1 = index
# print("User one has been cracked password is: " + password_1)
# if hashed_value_2 == hash_MD5[1]:
# password_2 = index
# print("User two has been cracked password is: " + password_2)
if hashed_value512_1 == hash_SHA512[0]:
password_3 = index
print("User one has been cracked using password: " + password_3)
if hashed_value512_2 == hash_SHA512[1]:
password_4 = index
print("User one has been cracked using password: " + password_4)
print("Search Complete.")
try:
print(password_1, password_2, password_3, password_4)
except Exception as e:
print("Oh shit something went wrong :s" + e)
Please disregard the MD5, salt and hash, as that I will deal with later (professor claimed that some of the passwords in the file would be crackable and a fellow student confirmed that he was able to crack both the SHA-512 passwords therefore I commented the MD5 out for the sake of speed)
I'm curious to see WHAT type of encoding I should be using to read from the password file, So far I've tried 'mac_roman', to iterate through the dictionary file, and now I just didn't set an encoding, I'm assuming the default should be UTF-8, but I honestly don't know how to check to confirm.
If anyone has any suggestions on what I can do to get this working I'd really appreciate it!
(I'm attempting the default encoding right now, by not initializing one
crackStation = open('1000000passwords.txt', 'r')
)
If in the case that, that does in fact work I will let you know!
Additonal question:
Could someone tell me what the encoding would be for this password file,
adamkaplan:$6$S4Y0gQuy$QRkLo5t/6KONMAiQY9DIAPojv0Q8CBvDtNqe02sfR7rnEdw.QgSm0LU/JRcIc/Arn/PpK3lxroc19bVQDwUGQ/:17786:0:99999:7:::
cardib:$6$t84.Fvbo$8lKHpxBDnjoHhnFS3.A4ezNZmKfy5MLbe7UGZoOnWgz55j0g5TBx5LOQAujDiqkUuE50EACOZsydlBZgy5jkw/:17786:0:99999:7:::
the password hash isn't BASE64, and the reason I'm asking is because when I use different encodings within a dictionary file each encoding gives a different hash, so that's what is throwing me off, the fact that if I use UTF-8, I will receive a different hash verses latin-1
So what encoding would linux password file be using by default.
If I create a new linux account through the terminal and set a password and go back inside my password file I will have a newly made hash for that new usernames password, and the encoding that was used within that hashing algorithm is what I Would need, or atleast that's what I image would need in order to crack the password.
Hope that isn't too confusing :s
I'm curious to see WHAT type of encoding I should be using to read from the password file
You should be using the encoding that the file is encoded in.
Unfortunately, it is impossible in general to tell the encoding of a file from just the file, you need some additional out-of-band information such as a header in the file telling you the encoding, the transmission format telling you the encoding … or just asking the author of the file.
However, since the passwords in the encrypted database are most likely treated as octet streams, it might make sense to treat the password dictionary the same way.
I honestly don't know how to check to confirm.
Use iconv. It'll fail when trying to convert a file containing malformed characters.
Here are some test files:
printf 'ascii only\n' > ascii_only.txt
printf 'utf-8 \342\230\272\n' > utf8.txt
printf 'latin1. pi\361ata.\n' > latin1.txt
Here are some examples:
$ iconv -f utf-8 -t utf-8 < utf8.txt > /dev/null && echo "ok"
ok
$ iconv -f ascii -t utf-8 < utf8.txt > /dev/null && echo "ok"
iconv: illegal input sequence at position 6
$ iconv -f utf-8 -t utf-8 < latin1.txt > /dev/null && echo "ok"
iconv: illegal input sequence at position 10
You can try ASCII, UTF-8 and Latin1 (in that order), and use whichever encoding iconv accepts first.
Even if this wasn't a school assignment, you could realistically expect most passwords to be ASCII.
The solution that worked out for me, the reason I wasn't able to crack the passwords were because I failed to strip the new lines from the dictionary words,
simply doing a
line = line.rstrip()
solved my problem, I didn't need to do any type of encoding or anything to have the file work.
This question already has answers here:
Getting a hidden password input
(6 answers)
Closed 7 months ago.
I have been trying to make a secure login on a python program I've been working on, but everything I try doesn't seem to help. I need a snippet of code that I can put in my script. My main issue is that anyone who looks at my script can just see the password. Plus I don't know how to put stars instead of characters when they type in password. This is my login code, it is very basic because I'm pretty much a beginner.
#login
import webbrowser as w
def username():
print("Enter UserName")
usrnm = input()
if(usrnm == "example"):
password()
else:
notusername()
def notusername():
print("Try Again")
username()
def password():
print("Enter Password")
pswrd = input()
if(pswrd == "password"):
w.open("www.example.net")
else:
notusername()
username()
First, let me preface this by saying that, especially if you're a beginner, it is usually not a good idea to try to implement your own login/security code for anything that is public and seriously needs security.
Having said that, the general approach to hiding the actual password is to store a hash (e.g. SHA-1) of the password, not the password itself. You can then safely store that hash value wherever you like (e.g. database, text file etc.)
In python you can do this using something like hashlib e.g.
import hashlib
sh = hashlib.sha1()
sh.update('password')
hash_value = sh.hexdigest()
# write hash_value to file/db...
When you go to validate against the stored password, you take the hash of the user input and compare it against the stored hash. If they are the same, then the password is correct.
Again, for any serious security, use one of the many frameworks that are available, as they have been tested by many people.
You Should try this code
list1 = ('Password is Correct...' , 'Password is Incorrect' , 'Closing Python...','Hello',
'''Press Enter to Continue...''', 'Closing Python...' , 'badger123',
'''Please Enter Your Name: ''', 'Please Enter Your Password: ')
name = input(list1[7])
password = input(list1[8])
if password == list1[6]:
print(list1[0])
else:
print(list1[1])
exit()
import time
time.sleep(0)
input(list1[4])
time.sleep(0)
print (list1[3] , name)
import time
time.sleep(1)
print (list1[5])
import time
time.sleep(5)
input (list1[4])
exit()
I'm looking for a python library that will help me to create an authentication method for a desktop app I'm writing.
I have found several method in web framework such as django or turbogears.
I just want a kind of username-password association stored into a local file.
I can write it by myself, but I'm really it already exists and will be a better solution (I'm not very fluent with encryption).
dbr said:
def hash_password(password):
"""Returns the hashed version of a string
"""
return hasher.new( str(password) ).hexdigest()
This is a really insecure way to hash passwords. You don't want to do this. If you want to know why read the Bycrypt Paper by the guys who did the password hashing system for OpenBSD. Additionally if want a good discussion on how passwords are broken check out this interview with the author of Jack the Ripper (the popular unix password cracker).
Now B-Crypt is great but I have to admit I don't use this system because I didn't have the EKS-Blowfish algorithm available and did not want to implement it my self. I use a slightly updated version of the FreeBSD system which I will post below. The gist is this. Don't just hash the password. Salt the password then hash the password and repeat 10,000 or so times.
If that didn't make sense here is the code:
#note I am using the Python Cryptography Toolkit
from Crypto.Hash import SHA256
HASH_REPS = 50000
def __saltedhash(string, salt):
sha256 = SHA256.new()
sha256.update(string)
sha256.update(salt)
for x in xrange(HASH_REPS):
sha256.update(sha256.digest())
if x % 10: sha256.update(salt)
return sha256
def saltedhash_bin(string, salt):
"""returns the hash in binary format"""
return __saltedhash(string, salt).digest()
def saltedhash_hex(string, salt):
"""returns the hash in hex format"""
return __saltedhash(string, salt).hexdigest()
For deploying a system like this the key thing to consider is the HASH_REPS constant. This is the scalable cost factor in this system. You will need to do testing to determine what is the exceptable amount of time you want to wait for each hash to be computed versus the risk of an offline dictionary based attack on your password file.
Security is hard, and the method I present is not the best way to do this, but it is significantly better than a simple hash. Additionally it is dead simple to implement. So even you don't choose a more complex solution this isn't the worst out there.
hope this helps,
Tim
I think you should make your own authentication method as you can make it fit your application best but use a library for encryption, such as pycrypto or some other more lightweight library.
btw, if you need windows binaries for pycrypto you can get them here
Treat the following as pseudo-code..
try:
from hashlib import sha as hasher
except ImportError:
# You could probably exclude the try/except bit,
# but older Python distros dont have hashlib.
try:
import sha as hasher
except ImportError:
import md5 as hasher
def hash_password(password):
"""Returns the hashed version of a string
"""
return hasher.new( str(password) ).hexdigest()
def load_auth_file(path):
"""Loads a comma-seperated file.
Important: make sure the username
doesn't contain any commas!
"""
# Open the file, or return an empty auth list.
try:
f = open(path)
except IOError:
print "Warning: auth file not found"
return {}
ret = {}
for line in f.readlines():
split_line = line.split(",")
if len(split_line) > 2:
print "Warning: Malformed line:"
print split_line
continue # skip it..
else:
username, password = split_line
ret[username] = password
#end if
#end for
return ret
def main():
auth_file = "/home/blah/.myauth.txt"
u = raw_input("Username:")
p = raw_input("Password:") # getpass is probably better..
if auth_file.has_key(u.strip()):
if auth_file[u] == hash_password(p):
# The hash matches the stored one
print "Welcome, sir!"
Instead of using a comma-separated file, I would recommend using SQLite3 (which could be used for other settings and such.
Also, remember that this isn't very secure - if the application is local, evil users could probably just replace the ~/.myauth.txt file.. Local application auth is difficult to do well. You'll have to encrypt any data it reads using the users password, and generally be very careful.
If you want simple, then use a dictionary where the keys are the usernames and the values are the passwords (encrypted with something like SHA256). Pickle it to/from disk (as this is a desktop application, I'm assuming the overhead of keeping it in memory will be negligible).
For example:
import pickle
import hashlib
# Load from disk
pwd_file = "mypasswords"
if os.path.exists(pwd_file):
pwds = pickle.load(open(pwd_file, "rb"))
else:
pwds = {}
# Save to disk
pickle.dump(pwds, open(pwd_file, "wb"))
# Add password
pwds[username] = hashlib.sha256(password).hexdigest()
# Check password
if pwds[username] = hashlib.sha256(password).hexdigest():
print "Good"
else:
print "No match"
Note that this stores the passwords as a hash - so they are essentially unrecoverable. If you lose your password, you'd get allocated a new one, not get the old one back.
import hashlib
import random
def gen_salt():
salt_seed = str(random.getrandbits(128))
salt = hashlib.sha256(salt_seed).hexdigest()
return salt
def hash_password(password, salt):
h = hashlib.sha256()
h.update(salt)
h.update(password)
return h.hexdigest()
#in datastore
password_stored_hash = "41e2282a9c18a6c051a0636d369ad2d4727f8c70f7ddeebd11e6f49d9e6ba13c"
salt_stored = "fcc64c0c2bc30156f79c9bdcabfadcd71030775823cb993f11a4e6b01f9632c3"
password_supplied = 'password'
password_supplied_hash = hash_password(password_supplied, salt_stored)
authenticated = (password_supplied_hash == password_stored_hash)
print authenticated #True
see also gae-authenticate-to-a-3rd-party-site
Use " md5 " it's much better than base64
>>> import md5
>>> hh = md5.new()
>>> hh.update('anoop')
>>> hh.digest
<built-in method digest of _hashlib.HASH object at 0x01FE1E40>