How to calculate bcrypt hash outside pfSense
-
It looks like it just uses php's password_hash($password, PASSWORD_BCRYPT);
Then it tweaks the [2] character for FreeBSD compatibility reasons.
function local_user_set_password(&$user, $password) { unset($user['password']); unset($user['md5-hash']); $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT); /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$ * https://reviews.freebsd.org/D2742 * XXX: Can be removed as soon as r284483 is MFC'd. */ if ($user['bcrypt-hash'][2] == "y") { $user['bcrypt-hash'][2] = "b"; } // Converts ascii to unicode. $astr = (string) $password; $ustr = ''; for ($i = 0; $i < strlen($astr); $i++) { $a = ord($astr{$i}) << 8; $ustr .= sprintf("%X", $a); } }(I don't see what ustr is ever used for. :/)
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
Thanks Derelict! That helped and it works now! :)
-
-
Hello everybody! Thanks in advance for the information related, I'm making a bash script to import users from a CSV to pfSense's XML backup.
I'm using the following program to generate the hash:
htpasswd -bnBC 12 "" mypassword | tr -d ':\n'
It works fine, quite secure, but maybe potentialy slow. So, my question is about the "12" on the line above. This is the number of rounds in order to calculate the hash. I didn't understand how many is the number of rounds who PHP's password_hash function uses on pfSense.
Anyone can you help me?
Best regards
-
@leo_pfsense seems like the default of 10 is used, since
costis undefined in the$optionsarray.references:
https://www.php.net/manual/en/function.password-hash.php
https://www.php.net/manual/en/password.constants.phpe.g. generate hash in php using cost=12
# php -a php > $opts = [ 'cost' => 12 ]; php > echo password_hash('FooBarBaz', PASSWORD_BCRYPT, $opts); $2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tmverify password
# php -a php > $hash = '$2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tm'; php > if (password_verify('FooBarBaz', $hash)) { echo "valid"; } else { echo "invalid"; } valid -
Just how many users are you importing? You might find you git other issues if it's large number. You probably will if it's an HA pair. Consider authenticating against an external source if so.
Steve
-
Hello @luckman212 @stephenw10 , thanks for your attention!
@luckman212 , ok, I undestood, very clear your explanation, thanks again
@stephenw10 , Few users, ~160 a time. My concern isn't about the slowly not on the importing process, but slowly on the verification made by pfSense when the user posts username and password. My scenario is Local Database + Captive Portal. I thought that if I create, by my script, users with a bcrypt with 12 rounds, and pfSense, by default, uses 10, the autentication will be more slowly... But I think this won't happen, right?
-
I used a separate radius server to auth against, very easy to set up in pfSense and allows me to have a central point to change user passwords, create/block them etc. Means less admin for setting up new users etc. Depending on your wifi hardware you probably can integrate that too into the radius server auth process.
-
@leo_pfsense said in How to calculate bcrypt hash outside pfSense:
Few users, ~160 a time.
How many total?
160 will cause issues in an HA setup. If it's much more than that you will see problems in various pages in the gui on a single node. Definitely consider authenticating against a dedicated auth server.
Steve
-
Hello, @stephenw10 , ~160 is the amount of users to be inserted on "pfSense's backup XML" by my script. After, I upload this XML to pfSense. In this case, I think is simple and doesn't give issues, what do you think?
@stephenw10 @conor , you are right. I gonna study this implementation.
-
I think test it and see. As long as you're not running HA trying to sync users between boxes it should be OK.
Some pages will be slower. With that many users it's certainly worth looking at external authentication.Steve
-
Ok, thank you!
