**EDITOR** is empty, *pdnsutil* falls back to using *editor*.
get-meta *ZONE* [*ATTRIBUTE*]...
Get zone metadata. If no *ATTRIBUTE* given, lists all known.
-hash-password *PASSWORD*
- This convenience command returns a hashed and salted version of the
- password passed in parameter, for use as a webserver password or
- api key.
+hash-password
+ This convenience command asks for a password and returns a hashed
+ and salted version, for use as a webserver password or api key.
hash-zone-record *ZONE* *RNAME*
This convenience command hashes the name *RNAME* according to the
NSEC3 settings of *ZONE*. Refuses to hash for zones with no NSEC3
.. versionchanged:: 4.6.0
This setting now accepts a hashed and salted version.
-Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``rec_control hash-password APIKEY`` instead of being stored in the configuration in plaintext.
+Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``pdnsutil hash-password`` instead of being stored in the configuration in plaintext.
.. _setting-autosecondary:
- String
-Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``pdnsutil hash-password PASS`` instead of being in plaintext.
+Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``pdnsutil hash-password`` instead of being in plaintext.
.. _setting-webserver-port:
#include <sodium.h>
#endif
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
#include "credentials.hh"
#include "misc.hh"
return false;
#endif
}
+
+#include <signal.h>
+#include <termios.h>
+
+std::string CredentialsHolder::readFromTerminal()
+{
+ struct termios term;
+ struct termios oterm;
+ memset(&term, 0, sizeof(term));
+ term.c_lflag |= ECHO;
+ memset(&oterm, 0, sizeof(oterm));
+ oterm.c_lflag |= ECHO;
+ bool restoreTermSettings = false;
+ int termAction = TCSAFLUSH;
+#ifdef TCSASOFT
+ termAction |= TCSASOFT
+#endif
+
+ FDWrapper input(open("/dev/tty", O_RDONLY));
+ if (int(input) != -1) {
+ if (tcgetattr(input, &oterm) == 0) {
+ memcpy(&term, &oterm, sizeof(term));
+ term.c_lflag &= ~(ECHO | ECHONL);
+ tcsetattr(input, termAction, &term);
+ restoreTermSettings = true;
+ }
+ }
+ else {
+ input = FDWrapper(dup(STDIN_FILENO));
+ }
+ FDWrapper output(open("/dev/tty", O_WRONLY));
+ if (int(output) == -1) {
+ output = FDWrapper(dup(STDERR_FILENO));
+ }
+
+ struct std::map<int, struct sigaction> signals;
+ struct sigaction sa;
+ sigemptyset(&sa.sa_mask);
+ sa.sa_flags = 0;
+ sa.sa_handler = [](int s) { };
+ sigaction(SIGALRM, &sa, &signals[SIGALRM]);
+ sigaction(SIGHUP, &sa, &signals[SIGHUP]);
+ sigaction(SIGINT, &sa, &signals[SIGINT]);
+ sigaction(SIGPIPE, &sa, &signals[SIGPIPE]);
+ sigaction(SIGQUIT, &sa, &signals[SIGQUIT]);
+ sigaction(SIGTERM, &sa, &signals[SIGTERM]);
+ sigaction(SIGTSTP, &sa, &signals[SIGTSTP]);
+ sigaction(SIGTTIN, &sa, &signals[SIGTTIN]);
+ sigaction(SIGTTOU, &sa, &signals[SIGTTOU]);
+
+ std::string buffer;
+ /* let's allocate a huge buffer now to prevent reallocation,
+ which would leave parts of the buffer around */
+ buffer.reserve(512);
+
+ for (;;) {
+ char ch = '\0';
+ auto got = read(input, &ch, 1);
+ if (got == 1 && ch != '\n' && ch != '\r') {
+ buffer.push_back(ch);
+ }
+ else {
+ break;
+ }
+ }
+
+ if (!(term.c_lflag & ECHO)) {
+ if (write(output, "\n", 1) != 1) {
+ /* the compiler _really_ wants the result of write() to be checked.. */
+ }
+ }
+
+ if (restoreTermSettings) {
+ tcsetattr(input, termAction, &oterm);
+ }
+
+ for (const auto& sig : signals) {
+ sigaction(sig.first, &sig.second, nullptr);
+ }
+
+#ifdef HAVE_LIBSODIUM
+ sodium_mlock(buffer.data(), buffer.size());
+#endif
+
+ return buffer;
+}
*/
#pragma once
+#include <memory>
#include <string>
std::string hashPassword(const std::string& password);
}
static bool isHashingAvailable();
+ static std::string readFromTerminal();
private:
std::string d_credentials;
cout<<"generate-zone-key {zsk|ksk} [ALGORITHM] [BITS]"<<endl;
cout<<" Generate a ZSK or KSK to stdout with specified ALGORITHM and BITS"<<endl;
cout<<"get-meta ZONE [KIND ...] Get zone metadata. If no KIND given, lists all known"<<endl;
- cout<<"hash-password PASSWORD Take a plaintext password or api key and output a hashed and salted version"<<endl;
+ cout<<"hash-password Ask for a plaintext password or api key and output a hashed and salted version"<<endl;
cout<<"hash-zone-record ZONE RNAME Calculate the NSEC3 hash for RNAME in ZONE"<<endl;
#ifdef HAVE_P11KIT1
cout<<"hsm assign ZONE ALGORITHM {ksk|zsk} MODULE SLOT PIN LABEL"<<endl<<
return 0;
}
else if (cmds[0]=="hash-password") {
- if (cmds.size() < 2) {
- cerr<<"Syntax: pdnsutil hash-password PASSWORD"<<endl;
- return 0;
- }
- cout<<hashPassword(cmds.at(1))<<endl;
+ auto password = CredentialsHolder::readFromTerminal();
+ cout<<hashPassword(password)<<endl;
return 0;
}
}
}
else if (commands.at(i) == "hash-password") {
- if (commands.size() > (i + 1)) {
- ++i;
- auto password = commands.at(i);
- cout << hashPassword(password) << endl;
- return 0;
- }
- else {
- throw PDNSException("Command needs a password argument");
- }
+ auto password = CredentialsHolder::readFromTerminal();
+ cout << hashPassword(password) << endl;
+ return 0;
}
++i;
}
Retrieves QType statistics. Queries from cache aren't being counted yet.
hash-password
- Hash and salt the given password, to use as a webserver password or
- API key. This command does not contact the recursor but does the
- hashing inside rec_control.
+ Asks for a password then returns the hashed and salted version,
+ to use as a webserver password or API key. This command does
+ not contact the recursor but does the hashing inside rec_control.
help
Shows a list of supported commands understood by the running
- String
- Default: unset
-Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``rec_control hash-password APIKEY`` instead of being stored in the configuration in plaintext.
+Static pre-shared authentication key for access to the REST API. Since 4.6.0 the key can be hashed and salted using ``rec_control hash-password`` instead of being stored in the configuration in plaintext.
.. _setting-api-readonly:
- String
- Default: unset
-Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``rec_control hash-password PASS`` instead of being in plaintext.
+Password required to access the webserver. Since 4.6.0 the password can be hashed and salted using ``rec_control hash-password`` instead of being in plaintext.
.. _setting-webserver-port:
projects / thirdparty / pdns.git / commitdiff
