keeleysam
commented
10 years ago Would it be possible to revisit this now?
Open MagerValp opened 12 years ago
keeleysam
commented
10 years ago Would it be possible to revisit this now?
MagerValp
commented
10 years ago Yep. Plan is to release 1.2.4 as a last bugfix release, then for 1.3 I'm ditching 10.5 and 10.6 support. Busy with AutoDMG at the moment though.
ab
commented
7 years ago Ping! I know the whole package is up for adoption, but any pointers on where to start on a PR?
https://magervalp.github.io/2016/12/07/createuserpkg-up-for-adoption.html
MagerValp
commented
7 years ago First there's some detective work that needs to be done to determine what the current format is for /private/var/db/dslocal/nodes/Default/users plists, particularly the ShadowHashData and how it varies from 10.7-10.12. Then the following needs to be replaced with PBKDF2:
create_package.py also has to be adjusted accordingly.
ab
commented
7 years ago I don't know Obj-C at all, so I might not be able to provide a PR.
Some notes on what I've learned, in case it's useful to anyone:
The new ShadowHashData format seems pretty straightforward: it's a binary plist that contains the SALTED-SHA512-PBKDF2 hash. Judging from my own hash it uses ~40K iterations and generates a 128-byte output hash.
The macadmin ruby library has some examples of generating this plist.
https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/lib/macadmin/shadowhash.rb#L199 https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/ext/macadmin/password/crypto.c#L42
Here's an example ShadowHashData file with the Base64 blobs replaced by all A characters. The entropy key represents the PBKDF2 output. I'm not sure what the SRP hash is for, but it looks to be generated in much the same way, only with a longer PBKDF2 output.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>SALTED-SHA512-PBKDF2</key>
<dict>
<key>entropy</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>iterations</key>
<integer>39840</integer>
<key>salt</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
</dict>
<key>SRP-RFC5054-4096-SHA512-PBKDF2</key>
<dict>
<key>iterations</key>
<integer>34602</integer>
<key>salt</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
</data>
<key>verifier</key>
<data>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAA=
</data>
</dict>
</dict>
</plist>
Add an option to store the password in salted SHA1 (10.5+) or PBKDF2 (10.7+) format. Salted SHA1 might not be secure enough for some environments.