Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Ask Question
- 12
- The scenario:
- In a bash script, I have to check if a password given by a user is a valid user password.
- I.e suppose I have a user A with password PA.. In the script I asked user A to enter his password, So how to check if the string entered is really his password?...
- bash
- shareimprove this question
- edited May 7 '15 at 11:46
- asked Apr 20 '15 at 10:45
- Maythux
- 50.2k32165214
- What do you mean with a valid password? Want to test if it really is the user's password? – A.B. Apr 20 '15 at 10:51
- @A.B. valid password=login password whatever you want to call... I mean its a password for this user – Maythux Apr 20 '15 at 10:51
- @A.B. I know it will be a security hole but here you already know the user name also... In other words its just a test if the password is for this user.. – Maythux Apr 20 '15 at 10:54
- 3
- Here is your answer: unix.stackexchange.com/a/21728/107084 – A.B. Apr 20 '15 at 10:54
- A solution based on expect at stackoverflow.com/a/1503831/320594. – Jaime Hablutzel Feb 1 at 16:25
- add a comment
- 3 Answers
- active
- oldest
- votes
- 11
- Since you want to do this in a shell script, a couple of contributions in How to check password with Linux? (on Unix.SE, suggested by A.B.) are especially relevant:
- rozcietrzewiacz's answer on generating a password hash that matches an entry in /etc/shadow gives part of the solution.
- Daniel Alder's comment explains the different syntax of the mkpasswd command present in Debian (and Ubuntu).
- To manually check if a string is really some user's password, you must hash it with the same hash algorithm as in the user's shadow entry, with the same salt as in the user's shadow entry. Then it can be compared with the password hash stored there.
- I've written a complete, working script demonstrating how to do this.
- If you name it chkpass, you can run chkpass user and it will read a line from standard input and check if it's user's password.
- Install the whois Install whois package to obtain the mkpasswd utility on which this script depends.
- This script must be run as root to succeed.
- Before using this script or any part of it to do real work, please see Security Notes below.
- #!/usr/bin/env bash
- xcorrect=0 xwrong=1 enouser=2 enodata=3 esyntax=4 ehash=5 IFS=$
- die() {
- printf '%s: %s\n' "$0" "$2" >&2
- exit $1
- }
- report() {
- if (($1 == xcorrect))
- then echo 'Correct password.'
- else echo 'Wrong password.'
- fi
- exit $1
- }
- (($# == 1)) || die $esyntax "Usage: $(basename "$0") <username>"
- case "$(getent passwd "$1" | awk -F: '{print $2}')" in
- x) ;;
- '') die $enouser "error: user '$1' not found";;
- *) die $enodata "error: $1's password appears unshadowed!";;
- esac
- if [ -t 0 ]; then
- IFS= read -rsp "[$(basename "$0")] password for $1: " pass
- printf '\n'
- else
- IFS= read -r pass
- fi
- set -f; ent=($(getent shadow "$1" | awk -F: '{print $2}')); set +f
- case "${ent[1]}" in
- 1) hashtype=md5;; 5) hashtype=sha-256;; 6) hashtype=sha-512;;
- '') case "${ent[0]}" in
- \*|!) report $xwrong;;
- '') die $enodata "error: no shadow entry (are you root?)";;
- *) die $enodata 'error: failure parsing shadow entry';;
- esac;;
- *) die $ehash "error: password hash type is unsupported";;
- esac
- if [[ "${ent[*]}" = "$(mkpasswd -sm $hashtype -S "${ent[2]}" <<<"$pass")" ]]
- then report $xcorrect
- else report $xwrong
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement