How to calculate bcrypt hash outside pfSense



  • Hi all

    For a deployment  scenario I would like to calculate the bcrypt hash of a user password outside pfSense and then upload it with the config.xml file. However I seem to miss some information like the salt and the number of rounds in order to calculate the hash correctly.

    How is this done in pfSense? Where do I get the salt from?

    Thanks in advance for any hints leading to a solution.


  • Netgate

    It looks like it just uses php's password_hash($password, PASSWORD_BCRYPT);

    Then it tweaks the [2] character for FreeBSD compatibility reasons.

    
    function local_user_set_password(&$user, $password) {
    
            unset($user['password']);
            unset($user['md5-hash']);
            $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT);
    
            /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$
             * https://reviews.freebsd.org/D2742
             * XXX: Can be removed as soon as r284483 is MFC'd.
             */
            if ($user['bcrypt-hash'][2] == "y") {
                    $user['bcrypt-hash'][2] = "b";
            }
    
            // Converts ascii to unicode.
            $astr = (string) $password;
            $ustr = '';
            for ($i = 0; $i < strlen($astr); $i++) {
                    $a = ord($astr{$i}) << 8;
                    $ustr .= sprintf("%X", $a);
            }
    
    }
    
    

    (I don't see what ustr is ever used for. :/)



  • Thanks Derelict! That helped and it works now! :)



  • @derelict I think you're right, it doesn't seem like astr or ustr are used for anything. I created PR#3969 to remove that bit, as well as the 2y=>2bhash mangling that also shouldn't be needed anymore since FreeBSD 11.0.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy