Untitled


Ask Question
12

The scenario:

In a bash script, I have to check if a password given by a user is a valid user password.

I.e suppose I have a user A with password PA.. In the script I asked user A to enter his password, So how to check if the string entered is really his password?...
bash
shareimprove this question
edited May 7 '15 at 11:46
asked Apr 20 '15 at 10:45
Maythux
50.2k32165214

    What do you mean with a valid password? Want to test if it really is the user's password? – A.B. Apr 20 '15 at 10:51
    @A.B. valid password=login password whatever you want to call... I mean its a password for this user – Maythux Apr 20 '15 at 10:51
    @A.B. I know it will be a security hole but here you already know the user name also... In other words its just a test if the password is for this user.. – Maythux Apr 20 '15 at 10:54
    3
    Here is your answer: unix.stackexchange.com/a/21728/107084 – A.B. Apr 20 '15 at 10:54
    A solution based on expect at stackoverflow.com/a/1503831/320594. – Jaime Hablutzel Feb 1 at 16:25

add a comment
3 Answers
active
oldest
votes
11

Since you want to do this in a shell script, a couple of contributions in How to check password with Linux? (on Unix.SE, suggested by A.B.) are especially relevant:

    rozcietrzewiacz's answer on generating a password hash that matches an entry in /etc/shadow gives part of the solution.
    Daniel Alder's comment explains the different syntax of the mkpasswd command present in Debian (and Ubuntu).

To manually check if a string is really some user's password, you must hash it with the same hash algorithm as in the user's shadow entry, with the same salt as in the user's shadow entry. Then it can be compared with the password hash stored there.

I've written a complete, working script demonstrating how to do this.

    If you name it chkpass, you can run chkpass user and it will read a line from standard input and check if it's user's password.
    Install the whois Install whois package to obtain the mkpasswd utility on which this script depends.
    This script must be run as root to succeed.
    Before using this script or any part of it to do real work, please see Security Notes below.

#!/usr/bin/env bash

xcorrect=0 xwrong=1 enouser=2 enodata=3 esyntax=4 ehash=5  IFS=$
die() {
    printf '%s: %s\n' "$0" "$2" >&2
    exit $1
}
report() {
    if (($1 == xcorrect))
        then echo 'Correct password.'
        else echo 'Wrong password.'
    fi
    exit $1
}

(($# == 1)) || die $esyntax "Usage: $(basename "$0") <username>"
case "$(getent passwd "$1" | awk -F: '{print $2}')" in
    x)  ;;
    '') die $enouser "error: user '$1' not found";;
    *)  die $enodata "error: $1's password appears unshadowed!";;
esac

if [ -t 0 ]; then
    IFS= read -rsp "[$(basename "$0")] password for $1: " pass
    printf '\n'
else
    IFS= read -r pass
fi

set -f; ent=($(getent shadow "$1" | awk -F: '{print $2}')); set +f
case "${ent[1]}" in
    1) hashtype=md5;;   5) hashtype=sha-256;;   6) hashtype=sha-512;;
    '') case "${ent[0]}" in
            \*|!)   report $xwrong;;
            '')     die $enodata "error: no shadow entry (are you root?)";;
            *)      die $enodata 'error: failure parsing shadow entry';;
        esac;;
    *)  die $ehash "error: password hash type is unsupported";;
esac

if [[ "${ent[*]}" = "$(mkpasswd -sm $hashtype -S "${ent[2]}" <<<"$pass")" ]]
    then report $xcorrect
    else report $xwrong
fi