Generate and verify Cisco-compatible PBKDF2 password hashes (ASA & IOS/IOS-XE)
Project description
cisco-hashgen
Generate and verify Cisco-compatible PBKDF2 password hashes for ASA & IOS/IOS-XE.
Generate and verify Cisco-compatible PBKDF2 password hashes from the command line.
Supported formats
- ASA: PBKDF2-HMAC-SHA512 —
$sha512$<iter>$<Base64(salt)>$<Base64(dk16)> - IOS / IOS-XE Type 8: PBKDF2-HMAC-SHA256 —
$8$<Cisco64(salt10)>$<Cisco64(dk32)>
Install
Requires: Python 3.8+ (tested on 3.8–3.13)
python3 -m pip install cisco-hashgen
Why this exists
-
Bootstrap without plaintext
Pre-generate hashes offline and embed them in config templates—without storing or echoing the cleartext password. -
Verify existing hashes offline
Check if a password matches a Cisco hash without touching the device.
Hashes are only as strong as the password and parameters. Prefer long, random passphrases; keep iteration counts at Cisco defaults (or higher where supported); and protect generated hashes like any credential artifact.
Quick start
Generate ASA (PBKDF2-SHA512)
# interactive (masked)
cisco-hasgen
cisco-hashgen -asa
Note: cisco-hashgen defaults to -asa output but you can specify -asa for clarity.
Generate IOS/IOS-XE Type 8 (PBKDF2-SHA256)
# interactive (masked)
cisco-hashgen -ios8
Verify a hash (offline)
# ASA
cisco-hashgen -v '$sha512$5000$...$...'
# IOS/IOS-XE Type 8
cisco-hashgen -v '$8$SALT$HASH'
One-liner verify (stdin + -v)
echo 'My S3cr3t!' | cisco-hashgen -ios8 -quiet -v '$8$HxHoQOhOgadA7E==$HjROgK8oWfeM45/EHbOwxCC328xBBYz2IF2BevFOSok='
Supplying passwords securely
A) Interactive (masked, safest)
cisco-hashgen -asa
B) Shell read (no secret in history)
read -rs PW && printf '%s' "$PW" | cisco-hashgen -asa -quiet && unset PW
# or use env var:
read -rs PW && CISCO_HASHGEN_PWD="$PW" cisco-hashgen -ios8 -env CISCO_HASHGEN_PWD -quiet && unset PW
C) macOS Keychain (GUI → CLI)
- Open Keychain Access → add a new password item (e.g., Service:
HASHGEN_PW). - Use it without revealing plaintext:
security find-generic-password -w -s HASHGEN_PW | cisco-hashgen -asa -quiet
Remove later with:security delete-generic-password -s HASHGEN_PW
D) pass (Password Store)
brew install pass gnupg
gpg --quick-generate-key "Your Name <you@example.com>" default default never
gpg --list-secret-keys --keyid-format LONG
pass init <YOUR_LONG_KEY_ID>
pass insert -m network/asa/admin <<'EOF'
Str0ngP@ss!
EOF
pass show network/asa/admin | head -n1 | cisco-hashgen -ios8 -quiet
E) CI secret environment variable (GitHub Actions)
- name: Generate ASA hash
env:
CISCO_HASHGEN_PWD: ${{ secrets.CISCO_HASHGEN_PWD }}
run: |
cisco-hashgen -asa -env CISCO_HASHGEN_PWD -quiet > hash.txt
Quoting cheatsheet (very important)
- Always single-quote
$sha512.../$8$...hashes to avoid$expansion:cisco-hashgen -v '$sha512$5000$...$...'
- For passwords with spaces or shell characters, prefer interactive input,
read -rs, Keychain, orpass. - If you must put a password on the command line (not recommended), single-quote it; if it contains a single quote, use:
'pa'"'"'ss'
CLI
usage: cisco-hashgen [-asa | -ios8] [-v HASH] [-iter N] [-salt-bytes N]
[-minlen N] [-maxlen N] [-pwd STRING] [-env VAR]
[-quiet] [-no-color] [-no-prompt] [--version]
-asa— Generate ASA PBKDF2 (SHA-512). Default mode.-ios8— Generate IOS/IOS-XE Type 8 PBKDF2-SHA256.-v, -verify HASH— Verify a candidate password against an existing hash.-iter N— Override iterations (ASA default 5000; IOS8 fixed 20000).-salt-bytes N— Override salt length (ASA default 16; IOS8 default 10).-minlen N,-maxlen N— Validation bounds (defaults 8 and 1024).-pwd STRING— Password literal (quote it if it has spaces/shell chars).-env VAR— Read password from environment variableVAR.-quiet— Suppress banners and extra output.-no-color— Disable ANSI coloring in help/banners.-no-prompt— Fail if no non-interactive password is provided (stdin/-pwd/-env). Useful for CI.--version— Print version and exit.
Exit codes
0— Success / verified match1— Verify mismatch2— Unsupported/invalid hash format3— Password validation error4— No password provided and-no-promptset130— User interrupted (Ctrl-C)
Technical notes
- ASA: PBKDF2-HMAC-SHA512; iterations stored; salt Base64; first 16 bytes of DK stored.
- IOS/IOS-XE Type 8: PBKDF2-HMAC-SHA256; 20000 iterations (fixed); salt 10 bytes; Cisco Base64 alphabet (
./0..9A..Za..z).
Compatibility
- Python 3.8+ (tested on 3.8–3.13)
- macOS / Linux / WSL
License
MIT © Gilbert Mendoza
Changelog
See the docs/releases folder for complete version history, or visit the GitHub Releases page.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cisco_hashgen-1.2.3.tar.gz.
File metadata
- Download URL: cisco_hashgen-1.2.3.tar.gz
- Upload date:
- Size: 11.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5f19ad49d13a7b0fd2b1801550055cc090756177e1f9ad9fb70fde359fb13cb9
|
|
| MD5 |
2546784892b6fb499d5d597e2e0eabfe
|
|
| BLAKE2b-256 |
95cf6c2797e6bb629fa46f6d8bc4aba4b248f53749a1c43560a21e71affe0e32
|
File details
Details for the file cisco_hashgen-1.2.3-py3-none-any.whl.
File metadata
- Download URL: cisco_hashgen-1.2.3-py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
120d3de45ad4c6dc207d3a46b1a838551ddbb5741bca7bd5be0f632340fd2507
|
|
| MD5 |
7d02f8d8d7cfc5949a0f8538cfa7a143
|
|
| BLAKE2b-256 |
566489dad7588eb9b8ea5eb23a8f69a764f7071ccaa01065e1222621dc649929
|
