Ask Your Question

Creating password hashes for OSX 10.9

asked 2014-10-03 10:58:53 -0600

some_guy gravatar image

updated 2014-10-05 13:04:38 -0600

Gary S gravatar image


I'm looking for a way to create password hashes for OSX 10.9 from a script. I've tried all the examples I can find online, but none of them seem to work. With any password I create (with any utility or library), I always get the error:

OS X versions > 10.7 require a Salted SHA512 PBKDF2 password hash of 256 characters. Please check your password and try again.

I've had luck setting a password on a Mac and using "puppet resource user <username>" to get all of the information, but this script may run from Linux as well, so that's not an ideal solution.

Here's an example of how I'm setting the user (not actual hash being used in this example):

 user { "root":
    ensure              => present,
    comment             => "root",
    gid                 => 0,
    uid                 => 0,
    shell               => "/bin/bash",
    home                => "/var/root",
    password            => 't/4U9X33A6E19ONpx6JQDiYvK6qjUuAZ9GiVt19F36zAHEM...',
    salt                => '3/r.g89j...',
    iterations          => '31250',

Has anyone been able to successfully generate OSX passwords (salt, iterations, and hash), or have an idea of what I may be doing incorrectly?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2015-08-27 15:02:41 -0600

syphrix gravatar image

elyscape's solution didn't quite work for me, but it put me on the right track. I wrote another script that's a bit simpler and just uses the ruby standard library. No gems needed. Just change the password to what you like, run it, and it prints out the lines needed for the user resource.

#!/usr/bin/env ruby

require 'openssl'

password   = 'password'
salt       = OpenSSL::Random.random_bytes(32)
iterations = 40_000
digest     =
hash       = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, 128, digest)

puts "password   => '#{hash.unpack('H*').first}',"
puts "salt       => '#{salt.unpack('H*').first}',"
puts "iterations => #{iterations}"
edit flag offensive delete link more

answered 2015-02-02 18:31:24 -0600

elyscape gravatar image

If you can run Ruby on your system, you can use the following script to generate a password and salt suitable for use Puppet on OS X 10.8+.

require 'pbkdf2'
require 'securerandom'
require 'highline/import'

password = ask("Password: ") { |q|
  q.echo = false
  q.validate = /\A.+\Z/
iterations = ask("Iterations: ", Integer) { |q|
  q.default = SecureRandom.random_number(10000) + 25000
  # OS X iterations are generally within 5000 of 30000
salt = ask("Salt (leave blank to generate one): ") { |q|
  q.validate = /\A\Z|.{32}/
salt = SecureRandom.random_bytes(32) if salt.empty?
hasher = do |p|
  p.password = password
  p.salt = salt
  p.iterations = iterations
  p.hash_function =
  p.key_length = 128
result = hashes.hex_string
puts "Resource info:"
puts "  password   => '#{result}',"
puts "  salt       => '#{salt.unpack('H*').first}',"
puts "  iterations => #{iterations},"

In order to use it, you will need to install the highline and pbkdf2-ruby gems. Once you've done so, save the script as a file like generate_password.rb and and execute ruby generate_password.rb in a command line.

edit flag offensive delete link more


I attempted to use this, but there appears to be a bug with the pbkdf2 gem. I went to the project's GitHub page but it looks a little neglected. Turns out you can do all this with the Ruby standard library with OpenSSL. I'll post my solution as another answer.

syphrix gravatar imagesyphrix ( 2015-08-27 14:56:36 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2014-10-03 10:58:53 -0600

Seen: 2,246 times

Last updated: Feb 02 '15