Password format option

[MagerValp]

Add an option to store the password in salted SHA1 (10.5+) or PBKDF2 (10.7+) format. Salted SHA1 might not be secure enough for some environments.

[keeleysam]

Would it be possible to revisit this now?

[MagerValp]

Yep. Plan is to release 1.2.4 as a last bugfix release, then for 1.3 I'm ditching 10.5 and 10.6 support. Busy with AutoDMG at the moment though.

[ab]

Ping! I know the whole package is up for adoption, but any pointers on where to start on a PR?

https://magervalp.github.io/2016/12/07/createuserpkg-up-for-adoption.html

[MagerValp]

First there's some detective work that needs to be done to determine what the current format is for /private/var/db/dslocal/nodes/Default/users plists, particularly the ShadowHashData and how it varies from 10.7-10.12. Then the following needs to be replaced with PBKDF2:

https://github.com/MagerValp/CreateUserPkg/blob/1c4fceeccf3aa7f3d4143a276f285452f869d968/CreateUserPkg/CUPDocument.m#L102-L130

create_package.py also has to be adjusted accordingly.

[ab]

I don't know Obj-C at all, so I might not be able to provide a PR.

Some notes on what I've learned, in case it's useful to anyone:

The new ShadowHashData format seems pretty straightforward: it's a binary plist that contains the SALTED-SHA512-PBKDF2 hash. Judging from my own hash it uses ~40K iterations and generates a 128-byte output hash.

The macadmin ruby library has some examples of generating this plist.

https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/lib/macadmin/shadowhash.rb#L199 https://github.com/dayglojesus/macadmin/blob/b35d0bec2b5299b6d2813726ddff0e3ae5d28c4d/ext/macadmin/password/crypto.c#L42

Here's an example ShadowHashData file with the Base64 blobs replaced by all A characters. The entropy key represents the PBKDF2 output. I'm not sure what the SRP hash is for, but it looks to be generated in much the same way, only with a longer PBKDF2 output.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>SALTED-SHA512-PBKDF2</key>
    <dict>
        <key>entropy</key>
        <data>
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
        </data>
        <key>iterations</key>
        <integer>39840</integer>
        <key>salt</key>
        <data>
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
        </data>
    </dict>
    <key>SRP-RFC5054-4096-SHA512-PBKDF2</key>
    <dict>
        <key>iterations</key>
        <integer>34602</integer>
        <key>salt</key>
        <data>
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
        </data>
        <key>verifier</key>
        <data>
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAA=
        </data>
    </dict>
</dict>
</plist>