How to calculate bcrypt hash outside pfSense

  • Hi all

    For a deployment  scenario I would like to calculate the bcrypt hash of a user password outside pfSense and then upload it with the config.xml file. However I seem to miss some information like the salt and the number of rounds in order to calculate the hash correctly.

    How is this done in pfSense? Where do I get the salt from?

    Thanks in advance for any hints leading to a solution.

  • LAYER 8 Netgate

    It looks like it just uses php's password_hash($password, PASSWORD_BCRYPT);

    Then it tweaks the [2] character for FreeBSD compatibility reasons.

    function local_user_set_password(&$user, $password) {
            $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT);
            /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$
             * XXX: Can be removed as soon as r284483 is MFC'd.
            if ($user['bcrypt-hash'][2] == "y") {
                    $user['bcrypt-hash'][2] = "b";
            // Converts ascii to unicode.
            $astr = (string) $password;
            $ustr = '';
            for ($i = 0; $i < strlen($astr); $i++) {
                    $a = ord($astr{$i}) << 8;
                    $ustr .= sprintf("%X", $a);

    (I don't see what ustr is ever used for. :/)

  • Thanks Derelict! That helped and it works now! :)

  • @derelict I think you're right, it doesn't seem like astr or ustr are used for anything. I created PR#3969 to remove that bit, as well as the 2y=>2bhash mangling that also shouldn't be needed anymore since FreeBSD 11.0.

Log in to reply