Open MagerValp opened 12 years ago
Would it be possible to revisit this now?
Yep. Plan is to release 1.2.4 as a last bugfix release, then for 1.3 I'm ditching 10.5 and 10.6 support. Busy with AutoDMG at the moment though.
Ping! I know the whole package is up for adoption, but any pointers on where to start on a PR?
https://magervalp.github.io/2016/12/07/createuserpkg-up-for-adoption.html
First there's some detective work that needs to be done to determine what the current format is for /private/var/db/dslocal/nodes/Default/users
plists, particularly the ShadowHashData
and how it varies from 10.7-10.12. Then the following needs to be replaced with PBKDF2:
create_package.py
also has to be adjusted accordingly.
I don't know Obj-C at all, so I might not be able to provide a PR.
Some notes on what I've learned, in case it's useful to anyone:
The new ShadowHashData
format seems pretty straightforward: it's a binary plist that contains the SALTED-SHA512-PBKDF2 hash. Judging from my own hash it uses ~40K iterations and generates a 128-byte output hash.
The macadmin
ruby library has some examples of generating this plist.
https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/lib/macadmin/shadowhash.rb#L199 https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/ext/macadmin/password/crypto.c#L42
Here's an example ShadowHashData file with the Base64 blobs replaced by all A
characters. The entropy
key represents the PBKDF2 output. I'm not sure what the SRP
hash is for, but it looks to be generated in much the same way, only with a longer PBKDF2 output.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SALTED-SHA512-PBKDF2</key>
<dict>
<key>entropy</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>iterations</key>
<integer>39840</integer>
<key>salt</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
</dict>
<key>SRP-RFC5054-4096-SHA512-PBKDF2</key>
<dict>
<key>iterations</key>
<integer>34602</integer>
<key>salt</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>verifier</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA=
</data>
</dict>
</dict>
</plist>
Add an option to store the password in salted SHA1 (10.5+) or PBKDF2 (10.7+) format. Salted SHA1 might not be secure enough for some environments.