{{tag>Mdp Random}} # Générer un mot de passe Un bon mot de passe contient : majuscule, minuscule, trait d'union, nombre premier, haïku, hiéroglyphe, symbole astrologique, et le sang d'une vierge. Keepassx / Keepass propose un générateur de mot de passe. Générer un mot de passe vous-même : [Gérer ses mots de passe](https://www.geekarea.fr/wordpress/?p=226) Sinon : ~~~bash dd if=/dev/random bs=1 count=75 2>/dev/null | base64 ~~~ ou ~~~bash cat /dev/urandom |tr -dc A-Za-z0-9 |head -c10 ~~~ Pour un code décimal ~~~bash echo $RANDOM$RANDOM ~~~ Aléatoirement A ou B ~~~bash r=(A B) echo ${r[RANDOM%2]} ~~~ Avec pwgen ~~~bash pwgen -Bs1 16 pwgen -y1 16 ~~~ Avec OpenSSL ~~~bash openssl rand -hex 10 openssl rand -base64 16 | sed -e "y/\\/+/\$_/" -e "s/=//g" openssl rand 300 |perl -pe 's/[^[:ascii:]]|[[:space:]]|\"//g' |tr -d "'\{}\n" ~~~ Avec apg ~~~bash apg -q -a 0 -n 1 -m 12 -M NCL apg -a 1 -m 32 -n 1 -M NCL ~~~ Avec GPG ~~~bash gpg --gen-random --armor 0 24 ~~~ Avec Ansible \\ ''community.general.random'' == Générer une emprunte (hash) de mdp Hash md5 ~~~bash mkpasswd --hash=md5 $PASS ~~~ Hash SHA-512 (''$6$'' defaut GNU/Linux /etc/shadow) ~~~bash mkpasswd --method=sha-512 ~~~ ~~~bash openssl passwd -6 -salt MySaltPlop openssl passwd -6 <(echo 'P@ssw0rd') ~~~ ~~~ $ man crypt ID | Method ───────────────────────────────────────────────────────── 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7) ~~~ ## Autres ~~~bash /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist ~~~ ## Entropie /dev/urandom The Linux kernel facilitates random number generation through two devices: /dev/random and /dev/urandom with different properties: * ''/dev/random'' should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered" (''random(4)''). * ''/dev/urandom'' will not block, but the quality of its randomness may be lower. The kernel maintains an entropy pool for these devices. The entropy pool is fed by entropy sources of the system, typically coming from the keyboard, the mouse, and some other device drivers or IRQs. Entropy from the entropy pool is consumed in the generation of random data (i.e. through reads from /dev/random and /dev/urandom). Voir : * [BoottimeEntropyStarvation](https://wiki.debian.org/BoottimeEntropyStarvation) * https://linuxfr.org/news/cryptographie-embarquee-briques-de-base-et-communication-avec-serialguard#toc-g%C3%A9n%C3%A9rateur-dal%C3%A9atoire * https://www.deltasight.fr/entropie-linux-generation-nombres-aleatoires/ * https://wiki.openstack.org/wiki/LibvirtVirtioRng * https://wiki.openstack.org/wiki/VirtEntropyProvision Voir aussi : haveged, rng-tools, rngd, crng rng-tools The rng-tools and haveged supports the "jitter" entropy source, which uses small CPU timing variances to provide some entropy. Voir one-rng * [one-rng](https://onerng.info/) * https://github.com/drduh/YubiKey-Guide Hardware : * OneRNG * FST-01 (Flying Stone Tiny ZERO-ONE) * Infinite Noise TRNG Check the available entropy ~~~bash cat /proc/sys/kernel/random/entropy_avail ~~~ #### rngd - rng-tools Sur RedHat ~~~bash yum install rng-tools systemctl enable --now rngd ~~~ ~~~ # systemctl status rngd ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2024-01-11 11:37:01 CET; 3 weeks 5 days ago Main PID: 1170 (rngd) Tasks: 2 (limit: 48756) Memory: 3.3M CGroup: /system.slice/rngd.service └─1170 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist -x qrypt -D daemon:daemon ~~~ ### Non-preferred method: seed randomness source from non-blocking source source : https://access.redhat.com/solutions/19866 NOTE: This method is potentially insecure. This method should only be used when no other source of entropy can be supplied, and software cannot be changed to use an alternative source besides /dev/random You can see the entropy value using the following command: Raw ~~~bash cat /proc/sys/kernel/random/entropy_avail ~~~ Now, start the rngd daemon using following command and monitor the entropy on the system: Raw ~~~bash rngd -r /dev/urandom -o /dev/random watch -n 1 cat /proc/sys/kernel/random/entropy_avail ~~~ NOTE: Seeding /dev/random with data derived from /dev/urandom plays a trick on the system - the entropy_avail reported will increase, but the real entropy is actually decreasing. A software-only random number generator like rngd is not a proper substitute for a good hardware random number generator. Do not use rngd in this fashion unless you understand and accept this difference. ### Autres Voir * /dev/hwrng * /sys/class/misc/hw_random * /sys/class/misc/hw_random/rng_available * /sys/class/misc/hw_random/rng_curren If you run the following, you will may see that available entropy is very low (< 128) and thus reading from /dev/random is likely to block. Raw ~~~bash while sleep 1; do cat /proc/sys/kernel/random/entropy_avail ; done ~~~ You can set this temporarily to 1024 (default is 64) Raw ~~~bash echo 1024 > /proc/sys/kernel/random/read_wakeup_threshold ~~~ ### Test An entropy source can be tested for (FIPS-compliant) randomness using the rng-tools or rng-utils. ~~~bash rngtest -c 1000 /dev/null # infnoise --debug --no-output Generated 1048576 bits. OK to use data. Estimated entropy per bit: 0.875409, estimated K: 1.834528 num1s:50.805635%, even misfires:0.232630%, odd misfires:0.162635% Generated 2097152 bits. OK to use data. Estimated entropy per bit: 0.871953, estimated K: 1.830139 num1s:51.022205%, even misfires:0.206471%, odd misfires:0.139980% Generated 3145728 bits. OK to use data. Estimated entropy per bit: 0.872259, estimated K: 1.830528 num1s:50.800612%, even misfires:0.197788%, odd misfires:0.170402% ~~~ ~~~ # systemctl status infnoise ● infnoise.service - Wayward Geek InfNoise TRNG driver Loaded: loaded (/lib/systemd/system/infnoise.service; enabled; preset: enabled) Active: active (running) since Mon 2023-07-24 20:23:18 CEST; 2min 46s ago Docs: man:infnoise.service(8) Process: 43156 ExecStart=/usr/sbin/infnoise --dev-random --daemon --pidfile /var/run/infnoise.pid (code=exited, status=0/SUCCESS) Main PID: 43157 (infnoise) Tasks: 1 (limit: 8733) Memory: 588.0K CPU: 69ms CGroup: /system.slice/infnoise.service └─43157 /usr/sbin/infnoise --dev-random --daemon --pidfile /var/run/infnoise.pid Jul 24 20:23:18 vivobela systemd[1]: Starting infnoise.service - Wayward Geek InfNoise TRNG driver... Jul 24 20:23:18 vivobela systemd[1]: Started infnoise.service - Wayward Geek InfNoise TRNG driver. ~~~ ~~~bash systemctl status dev-infnoise.device ~~~