Read between the lines

Creating and maintaining root passwords across a large number of servers is not something to take for granted. In networks there are often hundreds of servers to maintain. A good Sysadmin knows that for maximum security each and every server needs to have a unique root password. The practicality for this is not in your favor unless you use some human maintainable pattern for your passwords which will defeat the purpose of having these unique passwords in the first place.

Imagine if instead of having to remember unique passwords you need only remember a keyword that you can say in a public arena. Are you interested? Please continue…


$ ./password.sh petabitblog 172.21.0.4
;V5Q.L;6


$ ./password.sh petabitblog 172.21.0.5
aE>E2P)_

Please notice how when using the keyword “petabitblog” that even if $2 is a string that is almost exactly the same it will generate an entirely unique password.

Usage Statement:


$ ./password.sh
Usage: password.sh
Example: ./password.sh foo 10.0.0.1


Attached at the bottom is the source code and required requisites to have this utility for your usage. Please compile and install it in /usr/local to conform to UNIX filesystem RFC.

Lets go through the script for clarity, shall we.

Lets start with the usage statement, this is arbitrary and can be custom tailored:


#!/bin/bash
if [[ $# -ne 2 ]]
then
echo “Usage: password.sh ”
echo “Example: ./password.sh foo 10.0.0.1″
exit 0
fi


Nothing special there. Now we need to collect random characters somehow that are consistent to reproduce the passwords we’re trying to create. There’s a little utility called sha2 that I use. It will encrypt any text into hex values that can be utilized.


$ echo randomstring | sha2 -512 -q
19d601919fd22382270be2caf94835456fb6dea4c48fdbc6b03dc1777f045e8 \ 0b206954f9af07881884d6b95ea7c123cf688847343151a7bbdba924e55b33ded


Notice that I use sha512 crypt, md5 or any other can be used but I prefer to use less crackable crypts to sate my paranoia.

We can’t really use that string as it stands so what I decided to do was break up the first 16 characters and use their hex value to obtain ASCII characters. Please take a look at the following code snippit:


key=`echo $1$2 | sha2 -512 -q | tr [a-z] [A-Z] | sed -e ’s-.-& -2;s-.-& -5;s-.-& -8;s-.-& -11;s-.-& -14;s-.-& -17;s-.-& -20;s-.-& -23′ | awk ‘{print $1″ “$2″ “$3″ “$4″ “$5″ “$6″ “$7″ “$8}’`

This takes the keyword + IP and pipes it through sha2. Then the characters are turned into uppercase letters and piped through sed to add a space between every other character for a total of 16. Using the keyword “petabitblog” and the IP “172.21.0.5″ we get the following output:


$ echo petabitblog172.31.0.5 | sha2 -512 -q | tr [a-z] [A-Z] | sed -e ’s-.-& -2;s-.-& -5;s-.-& -8;s-.-& -11;s-.-& -14;s-.-& -17;s-.-& -20;s-.-& -23′ | awk ‘{print $1″ “$2″ “$3″ “$4″ “$5″ “$6″ “$7″ “$8}’
8B 14 8A 1E 12 04 6E 4A


Next we need to get the decimal values for each hex digit:


for i in $key
do
string=`(echo ibase=16; echo $i%7E) | bc`


This will ensure that every value is turned into a decimal that is between the valid ASCII values between 0 and 177. There are other ways, but this what I like to do. What we have to work with now are decimal numbers 13, 20, 12, 30, 18, 4, 110, and 74 respectively.

Please realize that the ASCII table includes many characters unsuitable for a password. Any ASCII value below 40 is useless to us unless you can type characters like DLE (data link escape) and HT ’\t’ (horizontal tab) swiftly. I also chose to delete “\” from being used as it ensures easy integration into other scripts that may have tricky special character handling like expect. The next code snippit:


if (( $string <= 40 ))
then
(( string = string + 41 )) # make sure it's a printable character and not a control character
fi
if (( $string == 92 ))
then
(( string = string + 1 )) # make sure it's a printable character and not a control character
fi


Now we need to print the alphanumeric characters of these decimal values. For this the utility awk has a nice trick: %c

char=`echo $string | awk '{printf("%c",$0)}'

Last but not least we need to print the characters out and escape control characters:

echo -ne "$char"

Finally, close the loop and echo a new line:

done
echo
exit 0


There you have it, keep it on a *very* secure machine and you have your root passwords:

$ ./password.sh petabitblog 172.21.0.5
aE>E2P)_

I am giving this to you freely for your use. I only ask that you keep my name in the script and inform me of any significant updates to make the script easier and better to use.

#!/bin/bash
# Generate root passwords based off of crypted values
#
# Author: Paul Pasika
# Date: 04.08.2008
# email paulpas@petabit.net
#
# Paypal any donations to paulpas@petabit.net to keep this going.
#
#
if [[ $# -ne 2 ]]
then
echo “Usage: password.sh ”
echo “Example: ./password.sh foo 10.0.0.1″
exit 0
fi

key=`echo $1$2 | sha2 -512 -q | tr [a-z] [A-Z] | sed -e ’s-.-& -2;s-.-& -5;s-.-& -8;s-.-& -11;s-.-& -14;s-.-& -17;s-.-& -20;s-.-& -23′ | awk ‘{print $1″ “$2″ “$3″ “$4″ “$5″ “$6″ “$7″ “$8}’`

for i in $key
do

string=`(echo ibase=16; echo $i%7E) | bc`
if (( $string <= 40 ))
then
(( string = string + 41 )) # make sure it's a printable character and not a control character
fi
if (( $string == 92 ))
then
(( string = string + 1 )) # make sure it's a printable character and not a control character
fi
#if (( $string == 91 ))
#then
# string="\$string" # make sure it's a printable character and not a control character
#fi
char=`echo $string | awk '{printf("%c",$0)}'`
#/usr/bin/perl -ew "print ,$char\n";
echo -ne "$char"
done
echo
sha2 source