How to calculate bcrypt hash outside pfSense

FreeMinded · Apr 25, 2016, 7:55 AM

Hi all

For a deployment scenario I would like to calculate the bcrypt hash of a user password outside pfSense and then upload it with the config.xml file. However I seem to miss some information like the salt and the number of rounds in order to calculate the hash correctly.

How is this done in pfSense? Where do I get the salt from?

Thanks in advance for any hints leading to a solution.

Derelict · Aug 3, 2018, 6:03 AM

It looks like it just uses php's password_hash($password, PASSWORD_BCRYPT);

Then it tweaks the [2] character for FreeBSD compatibility reasons.


function local_user_set_password(&$user, $password) {

        unset($user['password']);
        unset($user['md5-hash']);
        $user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT);

        /* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$
         * https://reviews.freebsd.org/D2742
         * XXX: Can be removed as soon as r284483 is MFC'd.
         */
        if ($user['bcrypt-hash'][2] == "y") {
                $user['bcrypt-hash'][2] = "b";
        }

        // Converts ascii to unicode.
        $astr = (string) $password;
        $ustr = '';
        for ($i = 0; $i < strlen($astr); $i++) {
                $a = ord($astr{$i}) << 8;
                $ustr .= sprintf("%X", $a);
        }

}

(I don't see what ustr is ever used for. :/)

FreeMinded · May 5, 2016, 12:04 PM

Thanks Derelict! That helped and it works now! :)

luckman212 · Aug 3, 2018, 6:03 AM

@derelict I think you're right, it doesn't seem like astr or ustr are used for anything. I created PR#3969 to remove that bit, as well as the 2y=>2bhash mangling that also shouldn't be needed anymore since FreeBSD 11.0.

leo_pfsense · Jan 15, 2020, 1:34 PM

Hello everybody! Thanks in advance for the information related, I'm making a bash script to import users from a CSV to pfSense's XML backup.

I'm using the following program to generate the hash:

htpasswd -bnBC 12 "" mypassword | tr -d ':\n'

It works fine, quite secure, but maybe potentialy slow. So, my question is about the "12" on the line above. This is the number of rounds in order to calculate the hash. I didn't understand how many is the number of rounds who PHP's password_hash function uses on pfSense.

Anyone can you help me?

Best regards

luckman212 · Jan 15, 2020, 4:11 PM

@leo_pfsense seems like the default of 10 is used, since cost is undefined in the $options array.

references:
https://www.php.net/manual/en/function.password-hash.php
https://www.php.net/manual/en/password.constants.php

e.g. generate hash in php using cost=12

# php -a
php > $opts = [ 'cost' => 12 ];
php > echo password_hash('FooBarBaz', PASSWORD_BCRYPT, $opts);
$2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tm

verify password

# php -a
php > $hash = '$2y$10$vcuDzBPO8I0uT6ZvG2c/heoE4LM../gDsciry/02wT08q8eymh9tm';
php > if (password_verify('FooBarBaz', $hash)) { echo "valid"; } else { echo "invalid"; }
valid

stephenw10 · Jan 15, 2020, 4:15 PM

Just how many users are you importing? You might find you git other issues if it's large number. You probably will if it's an HA pair. Consider authenticating against an external source if so.

Steve

leo_pfsense · Jan 16, 2020, 1:41 PM

Hello @luckman212 @stephenw10 , thanks for your attention!

@luckman212 , ok, I undestood, very clear your explanation, thanks again

@stephenw10 , Few users, ~160 a time. My concern isn't about the slowly not on the importing process, but slowly on the verification made by pfSense when the user posts username and password. My scenario is Local Database + Captive Portal. I thought that if I create, by my script, users with a bcrypt with 12 rounds, and pfSense, by default, uses 10, the autentication will be more slowly... But I think this won't happen, right?

conor · Jan 16, 2020, 2:27 PM

@leo_pfsense

I used a separate radius server to auth against, very easy to set up in pfSense and allows me to have a central point to change user passwords, create/block them etc. Means less admin for setting up new users etc. Depending on your wifi hardware you probably can integrate that too into the radius server auth process.

stephenw10 · Jan 16, 2020, 3:44 PM

@leo_pfsense said in How to calculate bcrypt hash outside pfSense:

Few users, ~160 a time.

How many total?

160 will cause issues in an HA setup. If it's much more than that you will see problems in various pages in the gui on a single node. Definitely consider authenticating against a dedicated auth server.

Steve

leo_pfsense · Jan 17, 2020, 2:14 PM

Hello, @stephenw10 , ~160 is the amount of users to be inserted on "pfSense's backup XML" by my script. After, I upload this XML to pfSense. In this case, I think is simple and doesn't give issues, what do you think?

@stephenw10 @conor , you are right. I gonna study this implementation.

stephenw10 · Jan 17, 2020, 2:37 PM

I think test it and see. As long as you're not running HA trying to sync users between boxes it should be OK.
Some pages will be slower. With that many users it's certainly worth looking at external authentication.

Steve

leo_pfsense · Jan 17, 2020, 3:18 PM

Ok, thank you!