In modern Linux, passwords stored in / etc / shadow etc. are encrypted with SHA-512. For example, in a Dockerfile, when creating a regular user inside a container, avoid having the plaintext password in the file.
Dockerfile
RUN useradd -p 'encrypted_password' accountname
Or
Dockerfile
RUN echo 'accountname:encrypted_password' | chpasswd -e
I also want to set a password such as. In that case, it is necessary to encrypt the password with SHA-512 in advance, and several methods are listed.
-Generate SHA512 PASSWORD with OpenSSL -[To generate a password with salt hashed with sha512](http://april.fool.jp/blogs/2013/09/07/sha512%E3%81%A7%E3%83%8F%E3 % 83% 83% E3% 82% B7% E3% 83% A5% E3% 81% 95% E3% 82% 8C% E3% 81% 9Fsalt% E3% 81% A4% E3% 81% 8D% E3% 83 % 91% E3% 82% B9% E3% 83% AF% E3% 83% BC% E3% 83% 89% E3% 82% 92% E7% 94% 9F% E6% 88% 90% E3% 81% 99 % E3% 82% 8B% E3% 81% AB /) -How to create a SHA-512 hash password for shadows?
However, ** which of the several methods can be used seems to be very dependent on the execution environment **.
For example, depending on the version of macOS the host, the crypt function of python or perl does not support SHA-512, or ʻopenssl, htpasswdsupports it in the new version, butCentOS7` It seems that the standard ones are not supported, and it is necessary to use them properly depending on the case. I don't think it's possible to find and change the method one by one depending on the environment in which the image is built, so I created a script that tries several methods one by one. The file storage is as follows
The following usage is assumed.
Initial Wasward setting example
# useradd -p "$(./passwd_sha512encrypt -u worker)" worker
Enter password for worker:
Enter password again for check. :
Setting example for created account
# ./passwd_sha512encrypt -f -u worker | chpasswd -e
Enter password for worker:
Enter password again for check. :
For these examples, you would follow the prompts and type from standard input. Since the required information is different for ʻuseradd, only the encrypted password, and for chpasswd, the pair of account name and encrypted password, the output is switched with the -f` option.
However, I don't think I can do keyboard input many times in container builds. It is realistic to use it to store encrypted items. I also set an optional argument (-o output-file) to output to a file. Detailed usage is below.
help display
% ./passwd_sha512encrypt -h
[Usage] % passwd_sha512encrypt [options] [username] [rawpassword]
[Options]
-o output : Set outputfile (default: stdout)
-u username : Set username
-p rawpassword : Set destenation
-f : Output username:encrupted_password
(Default output is encrupted_password only)
-q : Skip type-miss check
-v : verbose output
-d : debug output
-h : Show Help (this message)
Internally, search for directories contained in the environment variable PATH in the order of ʻopenssl, htpassword, PHP, Python(version 3 → Version 2),perl`, and then search for each directory in order. Determine if it supports SHA-512 and execute.
If none of them are supported, it will fail. in this case. ** The output file specified by the -o option is not created **, so the behavior is different from redirecting the output of this script with a shell. Since a file of size 0 is not created, I think it is easy to stop the process by using the file dependency with Makefile.
Recommended Posts