How to calculate bcrypt hash outside pfSense

luckman212

@derelict I think you're right, it doesn't seem like astr or ustr are used for anything. I created PR#3969 to remove that bit, as well as the 2y=>2bhash mangling that also shouldn't be needed anymore since FreeBSD 11.0.

leo_pfsense

Hello everybody! Thanks in advance for the information related, I'm making a bash script to import users from a CSV to pfSense's XML backup.

I'm using the following program to generate the hash:

htpasswd -bnBC 12 "" mypassword | tr -d ':\n'

It works fine, quite secure, but maybe potentialy slow. So, my question is about the "12" on the line above. This is the number of rounds in order to calculate the hash. I didn't understand how many is the number of rounds who PHP's password_hash function uses on pfSense.

Anyone can you help me?

Best regards

luckman212

@leo_pfsense seems like the default of 10 is used, since cost is undefined in the $options array.

references:
https://www.php.net/manual/en/function.password-hash.php
https://www.php.net/manual/en/password.constants.php

e.g. generate hash in php using cost=12

# php -a
php > $opts = [ 'cost' => 12 ];
php > echo password_hash('FooBarBaz', PASSWORD_BCRYPT, $opts);
$2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tm

verify password

# php -a
php > $hash = '$2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tm';
php > if (password_verify('FooBarBaz', $hash)) { echo "valid"; } else { echo "invalid"; }
valid

stephenw10

Just how many users are you importing? You might find you git other issues if it's large number. You probably will if it's an HA pair. Consider authenticating against an external source if so.

Steve

leo_pfsense

Hello @luckman212 @stephenw10 , thanks for your attention!

@luckman212 , ok, I undestood, very clear your explanation, thanks again

@stephenw10 , Few users, ~160 a time. My concern isn't about the slowly not on the importing process, but slowly on the verification made by pfSense when the user posts username and password. My scenario is Local Database + Captive Portal. I thought that if I create, by my script, users with a bcrypt with 12 rounds, and pfSense, by default, uses 10, the autentication will be more slowly... But I think this won't happen, right?

conor

@leo_pfsense

I used a separate radius server to auth against, very easy to set up in pfSense and allows me to have a central point to change user passwords, create/block them etc. Means less admin for setting up new users etc. Depending on your wifi hardware you probably can integrate that too into the radius server auth process.

stephenw10

@leo_pfsense said in How to calculate bcrypt hash outside pfSense:

Few users, ~160 a time.

How many total?

160 will cause issues in an HA setup. If it's much more than that you will see problems in various pages in the gui on a single node. Definitely consider authenticating against a dedicated auth server.

Steve

leo_pfsense

Hello, @stephenw10 , ~160 is the amount of users to be inserted on "pfSense's backup XML" by my script. After, I upload this XML to pfSense. In this case, I think is simple and doesn't give issues, what do you think?

@stephenw10 @conor , you are right. I gonna study this implementation.

stephenw10

I think test it and see. As long as you're not running HA trying to sync users between boxes it should be OK.
Some pages will be slower. With that many users it's certainly worth looking at external authentication.

Steve

leo_pfsense

Ok, thank you!