问题描述
运行mkpasswd -m sha-512 -S salt1234 password会导致以下结果:
$6$salt1234$Zr07alHmuONZlfKILiGKKULQZaBG6Qmf5smHCNH35KnciTapZ7dItwaCv5SKZ1xH9ydG59SCgkdtsTqVWGhk81
我有一段我认为可以输出相同内容的Python代码,但事实并非如此:
I have this snippet of Python code that I thought would output the same, but isn't:
import hashlib, base64
print(base64.b64encode(hashlib.sha512('password' + 'salt1234').digest()))
相反,它导致:
nOkBUt6l7zlKAfjtk1EfB0TmckXfDiA4FPLcpywOLORZ1PWQK4+PZVEiT4+9rFjqR3xnaruZBiRjDGcDpxxTig==
不确定我做错了什么.
我的另一个问题是,如何告诉sha512函数进行自定义回合.似乎只需要一个参数.
Another question I have is, how do I tell sha512 function to do custom rounds. It seems to take only 1 argument.
推荐答案
mkpasswd是 crypt()函数.我不认为这是简单的SHA512哈希.
mkpasswd is a front-end to the crypt() function. I don't think it is a straight-forward SHA512 hash here.
一些研究指出了SHA256-crypt和SHA512-crypt的规范,显示默认应用哈希5000次.您可以使用-R切换到mkpasswd来指定不同的回合数. -R 5000确实为您提供了相同的输出:
A little research points to the specification for SHA256-crypt and SHA512-crypt, which shows the hash is applied a default 5000 times. You can specify a different number of rounds using the -R switch to mkpasswd; -R 5000 indeed gives you the same output:
$ mkpasswd -m sha-512 -S salt1234 -R 5000 password
$6$rounds=5000$salt1234$Zr07alHmuONZlfKILiGKKULQZaBG6Qmf5smHCNH35KnciTapZ7dItwaCv5SKZ1xH9ydG59SCgkdtsTqVWGhk81
命令行工具提供的最小回合数为1000:
The minimum number of rounds offered by the command-line tool is 1000:
$ mkpasswd -m sha-512 -S salt1234 -R 999 password
$6$rounds=1000$salt1234$SVDFHbJXYrzjGi2fA1k3ws01/D9q0ZTAh1KfRF5.ehgjVBqfHUaKqfynXefJ4DxIWxkMAITYq9mmcBl938YQ//
$ mkpasswd -m sha-512 -S salt1234 -R 1 password
$6$rounds=1000$salt1234$SVDFHbJXYrzjGi2fA1k3ws01/D9q0ZTAh1KfRF5.ehgjVBqfHUaKqfynXefJ4DxIWxkMAITYq9mmcBl938YQ//
该算法涉及更多,需要您创建多个摘要.您可以可以通过 crypt.crypt()函数,并以与mkpasswd命令行相同的方式驱动它.
The algorithm is a bit more involved, requiring you to create several digests. You could instead access the C crypt() function through the crypt.crypt() function, and drive it the same way the mkpasswd commandline does.
SHA512-crypt方法是否可用取决于您的平台; crypt模块的Python 3版本提供了 crypt.methods列表告诉您平台支持的方法.由于此库使用与mkpasswd完全相同的库,因此您的操作系统显然支持SHA512-crypt,并且Python也将具有访问权限.
It depends on your platform if the SHA512-crypt method is available; the Python 3 version of the crypt module offers a crypt.methods list that tells you what methods your platform supports. Since this use the exact same library mkpasswd uses, your OS obviously does support SHA512-crypt and Python will have access too.
您需要在盐之前加上'$6$来指定其他方法.您可以通过在'$6$'字符串和盐之间添加'rounds=<N>$'字符串来指定轮数:
You need to prefix the salt with '$6$ to specify the different method. You can specify the number of rounds by adding a 'rounds=<N>$' string between the '$6$' string and your salt:
import crypt
import os
import string
try: # 3.6 or above
from secrets import choice as randchoice
except ImportError:
from random import SystemRandom
randchoice = SystemRandom().choice
def sha512_crypt(password, salt=None, rounds=None):
if salt is None:
salt = ''.join([randchoice(string.ascii_letters + string.digits)
for _ in range(8)])
prefix = '$6$'
if rounds is not None:
rounds = max(1000, min(999999999, rounds or 5000))
prefix += 'rounds={0}$'.format(rounds)
return crypt.crypt(password, prefix + salt)
然后产生与mkpasswd命令行相同的输出:
This then produces the same output as the mkpasswd command line:
>>> sha512_crypt('password', 'salt1234')
'$6$salt1234$Zr07alHmuONZlfKILiGKKULQZaBG6Qmf5smHCNH35KnciTapZ7dItwaCv5SKZ1xH9ydG59SCgkdtsTqVWGhk81'
>>> sha512_crypt('password', 'salt1234', rounds=1000)
'$6$rounds=1000$salt1234$SVDFHbJXYrzjGi2fA1k3ws01/D9q0ZTAh1KfRF5.ehgjVBqfHUaKqfynXefJ4DxIWxkMAITYq9mmcBl938YQ//'
这篇关于用Python代码编写的SHA 512 crypt输出与mkpasswd不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!