On Friday, February 20th, 2026 at 21:29, Samuel <[email protected]> wrote:
> sha256 hash (file ends with newline):
> SHA256 (pwgenerator) =
> 740470dc3ea3911a19c7165d3439136ff8fb180a7f65ad31c6086a91957b77e4
>
> contents:
> #!/bin/ksh
>
> set -e
> trap 'error=$?; if (($error)); then print -ru2 -- "$0: line $LINENO: $error";
> fi' ERR
>
> if [ -t 1 ]; then
> tput clear || exit 1
> tput cup 0 0 || exit 1
> tput el || exit 1
> fi
>
> LENGTH=20
> VARIATION=4
> set -A P
> set -A Q
> while :; do
> for i in $(dd if=/dev/random bs=4 count=1 2>/dev/null |
> hexdump -e '/1 "%u\n"')
> do
> ((i<190)) && P[${#P[@]}]="$(
> printf '%b' "\\$(printf %o "$((i%95+32))")"
> )"
> done
> l=${#P[@]}
> if ((l >= LENGTH)); then
> nu=$(printf '%s\n' "${P[@]}" | grep -c '[[:upper:]]' || true)
> nl=$(printf '%s\n' "${P[@]}" | grep -c '[[:lower:]]' || true)
> nd=$(printf '%s\n' "${P[@]}" | grep -c '[[:digit:]]' || true)
> nx=$(printf '%s\n' "${P[@]}" | grep -c '[ [:punct:]]' || true)
> ((nu*nl*nd*nx)) || continue
> until ((l-LENGTH <= VARIATION)); do
> # sum of chars. - types of chars. >= ...
> ((l-4 >= l-LENGTH-VARIATION)) || continue 2
> ((nu>1)) && rmc="$rmc[:upper:]"
> ((nl>1)) && rmc="$rmc[:lower:]"
> ((nd>1)) && rmc="$rmc[:digit:]"
> ((nu>1)) && rmc="$rmc [:punct:]"
> rmc="[$rmc]"; unset Q
> for i in ""; do
> if [ -z "$rmc" ] ||
> ! print -r -- "$i" | grep -q "$rmc"; then
> Q[${#Q[@]}]="$i"
> else
> rmc=
> fi
> done
> set -A P -- "${Q[@]}"; l=${#P[@]}
> nu=$(printf '%s\n' "${P[@]}" | grep -c '[[:upper:]]' || true)
> nl=$(printf '%s\n' "${P[@]}" | grep -c '[[:lower:]]' || true)
> nd=$(printf '%s\n' "${P[@]}" | grep -c '[[:digit:]]' || true)
> nx=$(printf '%s\n' "${P[@]}" | grep -c '[ [:punct:]]' || true)
> done
> break
> fi
> done
>
> if [ -t 1 ]; then
> jot -nb . -s '' $l; print $l
> read -r unused?"$(printf '%s' "${P[@]}")"
> tput cup 0 0; tput el
> tput cup 1 0; tput el
> else
> printf '%s' "${P[@]}"; print
> fi
If you want random passwords, why not just use
openssl rand -base64 32
or
openssl rand -hex 32
What I have done in the past was create passwords with:
openssl rand -hex 60
for user accounts that are intended to only be used via ssh with ssh keys. No
need to memorize them or write them down at all. That way, if I or someone else
made a mistake with /etc/ssh/sshd_config and accidentally allowed ssh access
via passwords, the odds of someone guessing the password within the next few
billion years would be minimal.
For what it's worth, my servers all permit ssh access only via IPv6. This cuts
down nearly all attempts to connect.
Eric
signature.asc
Description: OpenPGP digital signature
