Generate and verify Cisco-compatible PBKDF2 password hashes (ASA & IOS/IOS-XE)
Project description
cisco-hashgen
Generate and verify Cisco-compatible PBKDF2 password hashes from the command line.
Supported formats
- ASA: PBKDF2-HMAC-SHA512 —
$sha512$<iter>$<Base64(salt)>$<Base64(dk16)> - IOS / IOS-XE Type 8: PBKDF2-HMAC-SHA256 —
$8$<Cisco64(salt10)>$<Cisco64(dk32)>
Install
Requires: Python 3.8+ (tested on 3.8–3.13)
python3 -m pip install cisco-hashgen
Why this exists
-
Bootstrap without plaintext
Pre-generate hashes offline and embed them in config templates—without storing or echoing the cleartext password. -
Verify existing hashes offline
Check if a password matches a Cisco hash without touching the device.
Hashes are only as strong as the password and parameters. Prefer long, random passphrases; keep iteration counts at Cisco defaults (or higher where supported); and protect generated hashes like any credential artifact.
Quick start
Generate ASA (PBKDF2-SHA512)
# interactive (masked)
cisco-hasgen
cisco-hashgen -asa
Note: cisco-hashgen defaults to -asa output but you can specify -asa for clarity.
Generate IOS/IOS-XE Type 8 (PBKDF2-SHA256)
# interactive (masked)
cisco-hashgen -ios8
Verify a hash (offline)
# ASA
cisco-hashgen -v '$sha512$5000$...$...'
# IOS/IOS-XE Type 8
cisco-hashgen -v '$8$SALT$HASH'
One-liner verify (stdin + -v)
echo 'My S3cr3t!' | cisco-hashgen -ios8 -quiet -v '$8$HxHoQOhOgadA7E==$HjROgK8oWfeM45/EHbOwxCC328xBBYz2IF2BevFOSok='
Supplying passwords securely
A) Interactive (masked, safest)
cisco-hashgen -asa
B) Shell read (no secret in history)
read -rs PW && printf '%s' "$PW" | cisco-hashgen -asa -quiet && unset PW
# or use env var:
read -rs PW && CISCO_HASHGEN_PWD="$PW" cisco-hashgen -ios8 -env CISCO_HASHGEN_PWD -quiet && unset PW
C) macOS Keychain (GUI → CLI)
- Open Keychain Access → add a new password item (e.g., Service:
HASHGEN_PW). - Use it without revealing plaintext:
security find-generic-password -w -s HASHGEN_PW | cisco-hashgen -asa -quiet
Remove later with:security delete-generic-password -s HASHGEN_PW
D) pass (Password Store)
brew install pass gnupg
gpg --quick-generate-key "Your Name <you@example.com>" default default never
gpg --list-secret-keys --keyid-format LONG
pass init <YOUR_LONG_KEY_ID>
pass insert -m network/asa/admin <<'EOF'
Str0ngP@ss!
EOF
pass show network/asa/admin | head -n1 | cisco-hashgen -ios8 -quiet
E) CI secret environment variable (GitHub Actions)
- name: Generate ASA hash
env:
CISCO_HASHGEN_PWD: ${{ secrets.CISCO_HASHGEN_PWD }}
run: |
cisco-hashgen -asa -env CISCO_HASHGEN_PWD -quiet > hash.txt
Quoting cheatsheet (very important)
- Always single-quote
$sha512.../$8$...hashes to avoid$expansion:cisco-hashgen -v '$sha512$5000$...$...'
- For passwords with spaces or shell characters, prefer interactive input,
read -rs, Keychain, orpass. - If you must put a password on the command line (not recommended), single-quote it; if it contains a single quote, use:
'pa'"'"'ss'
CLI
usage: cisco-hashgen [-asa | -ios8] [-v HASH] [-iter N] [-salt-bytes N]
[-minlen N] [-maxlen N] [-pwd STRING] [-env VAR]
[-quiet] [-no-color] [-no-prompt] [--version]
-asa— Generate ASA PBKDF2 (SHA-512). Default mode.-ios8— Generate IOS/IOS-XE Type 8 PBKDF2-SHA256.-v, -verify HASH— Verify a candidate password against an existing hash.-iter N— Override iterations (ASA default 5000; IOS8 fixed 20000).-salt-bytes N— Override salt length (ASA default 16; IOS8 default 10).-minlen N,-maxlen N— Validation bounds (defaults 8 and 1024).-pwd STRING— Password literal (quote it if it has spaces/shell chars).-env VAR— Read password from environment variableVAR.-quiet— Suppress banners and extra output.-no-color— Disable ANSI coloring in help/banners.-no-prompt— Fail if no non-interactive password is provided (stdin/-pwd/-env). Useful for CI.--version— Print version and exit.
Exit codes
0— Success / verified match1— Verify mismatch2— Unsupported/invalid hash format3— Password validation error4— No password provided and-no-promptset130— User interrupted (Ctrl-C)
Technical notes
- ASA: PBKDF2-HMAC-SHA512; iterations stored; salt Base64; first 16 bytes of DK stored.
- IOS/IOS-XE Type 8: PBKDF2-HMAC-SHA256; 20000 iterations (fixed); salt 10 bytes; Cisco Base64 alphabet (
./0..9A..Za..z).
Compatibility
- Python 3.8+ (tested on 3.8–3.13)
- macOS / Linux / WSL
License
MIT © Gilbert Mendoza
Changelog
- 1.2.0
- Added
--version - Added
-no-promptfor CI-safe verify/generate - Improved help text (quoting guide)
- Clean Ctrl-C exits (130)
- Improved README
- Added
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cisco_hashgen-1.2.0.tar.gz
(10.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cisco_hashgen-1.2.0.tar.gz.
File metadata
- Download URL: cisco_hashgen-1.2.0.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cff7c639f033dcae7286e50e114e2957f0727145d54a42ccc34110a4b5116d02
|
|
| MD5 |
0da09309766b54144f463c13ab85587c
|
|
| BLAKE2b-256 |
6d063137b947e5db0aeb88d5fd55ddee2ff7281381aa21175ee3d19198fd6dda
|
File details
Details for the file cisco_hashgen-1.2.0-py3-none-any.whl.
File metadata
- Download URL: cisco_hashgen-1.2.0-py3-none-any.whl
- Upload date:
- Size: 8.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
70f78ba3ef0238a56cf322be41a814f6abc529b16190a09d56a2bb375ea8789d
|
|
| MD5 |
9017c89e7f2a6617ff63e3627d3a9ce7
|
|
| BLAKE2b-256 |
6141f7a9c70f02f250cbb6a09cbe4962d29d526a1ec6ca561801bea0ac6cdd50
|
