diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/set_password.rb | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/scripts/set_password.rb b/scripts/set_password.rb index 0b83861..16e7dec 100644 --- a/scripts/set_password.rb +++ b/scripts/set_password.rb @@ -3,19 +3,24 @@ # Usage: ruby scripts/set_password.rb # Sets (or resets) the admin password in config.yml. -require 'bcrypt' +require 'openssl' require 'yaml' require 'securerandom' CONFIG_PATH = ENV['CONFIG_PATH'] || '/opt/albumen/config.yml' +ITERATIONS = 100_000 print 'New admin password: ' STDOUT.flush password = $stdin.gets&.chomp abort 'No password given.' if password.nil? || password.strip.empty? +salt = SecureRandom.hex(32) +digest = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, ITERATIONS, 32, 'SHA256') +hash = "pbkdf2_sha256$#{ITERATIONS}$#{salt}$#{digest.unpack1('H*')}" + config = File.exist?(CONFIG_PATH) ? (YAML.load_file(CONFIG_PATH) || {}) : {} -config['admin_password_hash'] = BCrypt::Password.create(password).to_s +config['admin_password_hash'] = hash config['session_secret'] ||= SecureRandom.hex(32) tmp = "#{CONFIG_PATH}.tmp.#{Process.pid}" @@ -23,7 +28,6 @@ File.write(tmp, config.to_yaml) File.rename(tmp, CONFIG_PATH) File.chmod(0o600, CONFIG_PATH) -# Ensure the service user can read the file even when this script is run as root. begin require 'etc' pw = Etc.getpwnam('albumen') |