Forum Discussion
NimbostratusSHA512 iRule to create the same hash as used in the local user database
Hi, I'm scratching my head here having run out of avenues to go down. I am trying to write an iRule which will take the BASIC auth password from an HTTPS request and create a hash to compare against the $6$ (SHA512) passwords in the local database. i.e. the 'encryptedPassword' parameter from 'tmsh list auth user john'
I can get the $6$ password OK, but cannot create a command to create the same hash output to compare. e.g. (note the password here is just 'password') :-
tmsh list auth user john | grep 'encrypted'
encrypted-password "$6$bZXU0M0o$8deuoRqyJxxsxQlWCELu7oxEy2MPwfhSTGOyG98o245DY2LvaajEOY390sMJpL1X00NYSPjLI5pZXUpq9/R5x1"My hash algorithm proof-of-concept code so far :-
when HTTP_REQUEST {
set SALT "bZXU0M0o"
set PASSWORD "password"
set COMBINE "$SALT$PASSWORD"
set RESULT [b64encode [sha512 $COMBINE]]
HTTP::respond 200 content $RESULT
}This results in a hash of :-
fF15IMz19+x3H46S/evpY10oQ0W5/cHhPAIEy8OMTGjNgGPMywoOHFWVK2dsBh/ukUZdQA7F2phRYrD5BupR4g==And not the hash I was expecting :-
8deuoRqyJxxsxQlWCELu7oxEy2MPwfhSTGOyG98o245DY2LvaajEOY390sMJpL1X00NYSPjLI5pZXUpq9/R5x1Does anybody have any advice please?
Many thanks!
Dave.
4 Replies
Ronald_van_der3You have generated a single SHA512 hash from the password (and salt). However the OS uses (by default) 5000 rounds to generate the password.
alpacatastic_20Thanks for answering my query Ronald. I have presumed that the SHA512 hash function carries out the 5000 rounds by default for me before returning the hash but I will experiment with a loop to simulate the rounds. I think a related issue that I have is that the base64 encode is different on the F5 passwords to the standard b64encode in the iRule. The hash from the standard b64encode seems to use a '/' and a '+' as the extra 2 characters whereas the password hashes stored on the F5 use a '/' and a '.' instead.
Ronald_van_der_You have generated a single SHA512 hash from the password (and salt). However the OS uses (by default) 5000 rounds to generate the password.
- alpacatastic_20Thanks for answering my query Ronald. I have presumed that the SHA512 hash function carries out the 5000 rounds by default for me before returning the hash but I will experiment with a loop to simulate the rounds. I think a related issue that I have is that the base64 encode is different on the F5 passwords to the standard b64encode in the iRule. The hash from the standard b64encode seems to use a '/' and a '+' as the extra 2 characters whereas the password hashes stored on the F5 use a '/' and a '.' instead.
