passlib.hash.grub_pbkdf2_sha512 - Grub’s PBKDF2 Hash

This class provides an implementation of Grub’s PBKDF2-HMAC-SHA512 password hash [1], as generated by the grub-mkpasswd-pbkdf2 command, and may be found in Grub2 configuration files. PBKDF2 is a key derivation function [2] that is ideally suited as the basis for a password hash, as it provides variable length salts, variable number of rounds.

See also

• password hash usage – for examples of how to use this class via the common hash interface.
• passlib.hash.pbkdf2_{digest} – for some other PBKDF2-based hashes.

Interface

class passlib.hash.grub_pbkdf2_sha512

This class implements Grub’s pbkdf2-hmac-sha512 hash, and follows the PasswordHash API.

It supports a variable-length salt, and a variable number of rounds.

The using() method accepts the following optional keywords:

Parameters:

• salt (bytes) – Optional salt bytes. If specified, the length must be between 0-1024 bytes. If not specified, a 64 byte salt will be autogenerated (this is recommended).
• salt_size (int) – Optional number of bytes to use when autogenerating new salts. Defaults to 64 bytes, but can be any value between 0 and 1024.
• rounds (int) – Optional number of rounds to use. Defaults to 19000, but must be within range(1,1<<32).
• relaxed (bool) –

  By default, providing an invalid value for one of the other keywords will result in a ValueError. If relaxed=True, and the error can be corrected, a PasslibHashWarning will be issued instead. Correctable errors include rounds that are too small or too large, and salt strings that are too long.

  New in version 1.6.

Format & Algorithm

A example hash (of password) is

grub.pbkdf2.sha512.10000.4483972AD2C52E1F590B3E2260795FDA9CA0B07B
96FF492814CA9775F08C4B59CD1707F10B269E09B61B1E2D11729BCA8D62B7827
B25B093EC58C4C1EAC23137.DF4FCB5DD91340D6D31E33423E4210AD47C7A4DF9
FA16F401663BF288C20BF973530866178FE6D134256E4DBEFBD984B652332EED3
ACAED834FEA7B73CAE851D

All of this scheme’s hashes have the format grub.pbkdf2.sha512.rounds.salt.checksum, where rounds is the number of iteration stored in decimal, salt is the salt string encoded using upper-case hexadecimal, and checksum is the resulting 64-byte derived key, also encoded in upper-case hexadecimal. It can be identified by the prefix grub.pdkdf2.sha512..

The algorithm used is the same as pbkdf2_sha1: the password is encoded into UTF-8 if not already encoded, and passed through pbkdf1() along with the decoded salt, and the number of rounds. The result is then encoded into hexadecimal.

Footnotes

[1]	Information about Grub’s password hashes - http://grub.enbug.org/Authentication.

[2]	The specification for the PBKDF2 algorithm - http://tools.ietf.org/html/rfc2898#section-5.2.