Register
It is currently Sun Apr 22, 2018 9:53 pm

gpg usage


All times are UTC - 6 hours


Post new topic Reply to topic  [ 14 posts ] 
Author Message
 PostPosted: Tue Mar 08, 2016 11:27 am   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
Hi

I'm attempting to hash a file using gpg with SHA512.

have tried the following:
Code:
$ cat > t.dat <<<"A test"
$ gpg --s2k-digest-algo SHA512 t.dat
but get an error
Code:
gpg: no valid OpenPGP data found.

Also, how could I get the string back unhashed?


Top
 Profile  
 PostPosted: Tue Mar 08, 2016 11:32 am   

Joined: Mon Oct 20, 2014 9:53 am
Posts: 574
no need for gpg.

There are already tools providing this functionality.
Typing sha<tab><tab> should give something like this:
sha1sum sha224sum sha256sum sha384sum sha512sum

Hence just a sha512sum <SomeFileOrPathName> is needed.


Top
 Profile  
 PostPosted: Tue Mar 08, 2016 1:05 pm   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
ok, thanks. is there a way to get the unhashed value of what was hashed in a file?


Top
 Profile  
 PostPosted: Tue Mar 08, 2016 1:49 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 273
Hey bluefrog, are you trying to encrypt the contents of the file? A hash is more like a "fingerprint"... A way to verify that a file hasn't been altered. The contents of the file are not contained in the hash. If you want to be able to encrypt a file and decrypt it later with a password, you can use gpg for that. The -c option tells it to encrypt the file.

Code:
# Use something like this to encrypt a single file
# You will be prompted to pick a passphrase
# The resulting file will be named t.dat.gpg
$ gpg -c t.dat

# You could even specify the algorithm, like in your example, but that only relates to the passphrase, not the contents of the file itself:
$ gpg --s2k-digest-algo SHA512 -c t.dat

# To decript the file, simply run the following
# You will be prompted for a passphrase. This will be the passphrase that you used when you encrypted the file.
$ gpg t.dat.gpg



I hope this helps!


Top
 Profile YIM  
 PostPosted: Tue Mar 08, 2016 1:58 pm   

Joined: Mon Oct 20, 2014 9:53 am
Posts: 574
And you just CAN'T get back the unhashed string from a hash.
They are one-way tickets by design.

jeo told you how to en- and decrypt.


Top
 Profile  
 PostPosted: Tue Mar 08, 2016 2:08 pm   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
Hi Jeo,

thanks, got it. Is there a way to bypass the password phrase, so instead of -c, use some kind of AES signature?


Top
 Profile  
 PostPosted: Wed Mar 09, 2016 3:55 am   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
Not sure how to solve this.
I have a file, the contents of which are:
Code:
USER1:ENV1:Pass1
USER2:ENV1:Pass2
USER3:ENV2:Pass3
What I'm after is to encrypt the Passwords in the file (3rd column, delimited by":"), so the file contents would look as follows:
Code:
USER1:ENV1:% wify ergg"*() -hjg
USER2:ENV1:fhy 123yigfd
USER3:ENV2:wjkhfuyh
Where the 3rd column is now encrypted. I now need to unencrypt the 3rd column to get to the original text, without intervention from user input.
I'm sure gpg could be used, but not sure how though?


Top
 Profile  
 PostPosted: Wed Mar 09, 2016 8:45 am   

Joined: Mon Oct 20, 2014 9:53 am
Posts: 574
What is the goal you're trying to achieve?


Top
 Profile  
 PostPosted: Thu Mar 10, 2016 12:35 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 273
I think I see what you're saying. So, what's the purpose of UN-encrypting the password field?

If you're doing this for some kind of authentication system, you probably don't need to decrypt the password field. You would want to take a hash of the password (maybe this is what you were looking for in your original post?) and store the hash. Then to check against it later, you just hash the user's input and see if it matches.

Was the encrypted file from the first post different from the encrypted passwords?

You can generate the hash with something like...
Code:
$ echo -n "PASSWORD" | md5sum | cut -d' ' -f1


Top
 Profile YIM  
 PostPosted: Fri Mar 11, 2016 5:17 am   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
Hi Jeo

thanks for the reply, the reason that I have to "decrypt" or "unhash" the string is that it is used for authentication into an Oracle command line utility, so the sample file I posted would be USER1 = oracle user, ENV = database name and Pass1 = password.

So although I could hash the string "Pass1"
Code:
echo "Pass1" | md5sum
5e52d0a1f9ea7fccc61d9e7a996bf0dc
I would need to "unhash" in order for it to be used. I have a utlity which currently uses the apache xerces open source java library, but I would dearly like to remove java as a dependency and rely on what is available on a linux server, whether it be gpg, openssl or whatever hashing is available.

The problem with hashing, based on what uhelp has mentioned and from what I've read, is that it would probably won't server my purpose as I've just described, since it is only one way. You can use hashing for authentication since you can compare what is hashed with what has been entered, but there is no input in this case.


Top
 Profile  
 PostPosted: Fri Mar 11, 2016 9:39 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 273
Hi bluefrog!

I actually think I figured out what you were trying to do shortly after I posted that, but hadn't had time to put any thought into it. You're going to need some kind of passphrase either way, but you could have the passphrase to decrypt the passwords in the script that uses them. It totally defeats the purpose though, if the password file and the script are stored together. I've actually been working on a similar problem in an environment where I need to manage 50+ Linux servers and I'm not allowed to use SSH keys... I don't want passwords stored in plain text, but encrypting them and storing them right next to the script that contains the passphrase to decrypt them would just be bad practice...

Ok, that was kind of a tangent... Now, on to how to do it! You *Could* use gpg for this, but you won't get a nice string to store in the nicely formatted file you have spec'd. Let's use OpenSSL for this instead. Here's an example:

Code:
> echo password | openssl enc -base64 -a -salt -pass pass:mypass
cGFzc3dvcmQK

> echo cGFzc3dvcmQK | openssl enc -base64 -a -d -salt -pass pass:mypass
password


The example is pretty simple. You might want to use a stronger encryption (see the man page for openssl for options). There are also different options for how to get the passphrase (mypass) used to en/decrypt your password string. Those are also in the man page, and include things like an environment variable, or a separate file.

I hope this helps gets you started!


Top
 Profile YIM  
 PostPosted: Fri Mar 11, 2016 10:25 am   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
that is awesome!!!! wow...
i got something to go on now.
So so grateful, thank you very much!!!

Still needs a bit of work though, will probably store the phrase in some file. Will have to chat to the sysadmin and see what he reckons, but I think he'll be happy with this for a "good enough" local solution.


Top
 Profile  
 PostPosted: Fri Mar 11, 2016 12:15 pm   

Joined: Mon Oct 20, 2014 9:53 am
Posts: 574
Don't get too excited.

This does not really solve the problem.
It just moves the task from reading stored passwords to call the decrypt routine.

What you want to achieve is not doable with these means.

This just stores the password encrypted.


Top
 Profile  
 PostPosted: Sat Mar 12, 2016 7:04 am   

Joined: Tue Nov 17, 2015 6:30 am
Posts: 70
To a degree what you stated is true, but I am replicating an existing working system which was created by others, using a file similar to the sample I posted above and using bash along with the apache xerces library. I would like to at least remove java as a dependency, but as you say, the password problem will remain, but at least I can hide the executable decrypting the password from other unix accounts, and it helps with integration testing, since users no longer have to type in a password based on a "read" at the unix terminal. Software releases can now be driven by a cron job or some other tool like Control-M or autosys, without human intervention. Password configuration of Oracle users is now simply a one-off configured task, instead of requiring daily intervention.


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 20 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP