PDA

View Full Version : [SOLVED] Test User password with Zenity/Bash script



Jose Catre-Vandis
August 6th, 2009, 02:15 AM
I am working up a script, and what I need to do is test the entry made by a user into a zenity dialog against their password. If they enter the correct password (the one they logged in with) then the rest of the script will proceed.

How can I call up a user's password in a bash script. Is there a variable in bash to do this? I clearly do not want to have to put it in as plain text!

michy99
August 6th, 2009, 02:39 AM
The password is stored in /etc/shadow as a md5sum. You have to do a md5sum on the entry and compare it to the corresponding entry in /etc/shadow.

Jose Catre-Vandis
August 6th, 2009, 02:52 AM
Makes sense, how do I run md5 against a word in order to get the hash?

EDIT: figured this out?

echo -n "password" | md5sum
but this looks nothing like the entry against the user in /etc/shadow (which is 2/3 times longer)?

michy99
August 6th, 2009, 03:11 AM
Here's a short explanation of /etc/shadow. Apparently it can use other encryptions besides md5.

http://www.cyberciti.biz/faq/understanding-etcshadow-file/

Jose Catre-Vandis
August 6th, 2009, 11:05 AM
Hmmm still doesn't really help, is a different encryption being used - SHA-512, inidcated by the $6$?

Here is my /etc/shadow entry (a few digits changed to protect the innocent)

jose:$6$gPC.6/BqBx$Ag0fumVhbVmpx5b5TCDe9vra868eSnNde7vqNeD9nWaCS EQuuirEYshHLMuJ7obKfueXsD3DSQ8jZoog.5BG81:14357:0: 99999:7:::
and here is the output from "echo -n "password" | md5sum"

65ba469a2f5471be97ed178d5fba24d4 -
(again a few digits changed, but this is about size and type)

sisco311
August 6th, 2009, 11:21 AM
You can use sudo. Add the user in the sudoers file:

username ALL=(username) /path/to/script
username is allowed to run the /path/to/script script as user:username

Then:

sudo -u username /path/to/script
will prompt for the user's password.

Jose Catre-Vandis
August 6th, 2009, 11:32 AM
You can use sudo. Add the user in the sudoers file:

username ALL=(username) /path/to/script
username is allowed to run the /path/to/script script as user:username

Then:

sudo -u username /path/to/script
will prompt for the user's password.

Thanks, I know, but trying to stay away from sudo, and this has now become a bit of a quest to see how I can check a users password against that stored in the system, so if the user doesn't know sudo, this is their authentication for the script to run.

Seems if I can find a way to encrypt a string using the right algorithm, which I believe to be SHA-512, I will be able to compare this with the contents of /etc/shadow, once I have figured out how to extract the key. :)

sisco311
August 6th, 2009, 11:38 AM
Seems if I can find a way to encrypt a string using the right algorithm, which I believe to be SHA-512, I will be able to compare this with the contents of /etc/shadow, once I have figured out how to extract the key. :)


mkpasswd -m sha-512 password saltsalt

But, You need root permissions to access the shadow file.

unutbu
August 6th, 2009, 12:27 PM
Note the use of md5 encryption:


sudo useradd --create-home --user-group --password $(mkpasswd -s -m md5 pea) --comment "Sweat Pea" --shell /bin/bash pea

I checked that it works with


su pea


sudo userdel -r pea

This also works:


sudo useradd --create-home --user-group --password $(mkpasswd -s -m sha-512 pea) --comment "Sweat Pea" --shell /bin/bash pea

I don't know how many different types of encryption work. But I think this means you might have to check a user's unencrypted password by encrypting it in many (at least 2) different ways.

sisco311
August 6th, 2009, 12:59 PM
in the shadow file:

$6$NU7T6629$eJuF3qoAmPBTr9keSxmfFZzgpfEyCsk7OmdGpR J8Purl/nDwt69AhdOJbLdsW3QiSnfZzD8PNEQ2lBS3.7QJp/
6 is the encryption type

ID | Method
────────────────────────────────────────────────── ───────
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)


and NU7T6629 is the salt

Jose Catre-Vandis
August 6th, 2009, 01:12 PM
OK, thanks guys, looks like you have all the answers, just that i don't understand how to use them! :)

Let's say I extract in advance the hash from the /etc/shadow file for use in my script (I'll just stick to a single user for now). I will need to compare the hash, with a hash generated by the script on the password entered.

So,

user = jose
pass = mypasswd
hash = eJuF3qoAmPBTr9keSxmfFZzgpfEyCsk7OmdGpRJ8Purl/nDwt69AhdOJbLdsW3QiSnfZzD8PNEQ2lBS3.7QJp/
(as per sisco311's post)

in plain english, the script would do the following:

1. take the input from zenity and put into variable > $PASS
2. take $PASS and
2.1 perform encryption on it to produce a hash > $TESTHASH
3. compare $TESTHASH with the extracted hash key from /etc/shadow $HASH
4. perform rest of script if comparison succssful

I am OK with sorting out 1,2,3,4 it's 2.1 I don't know how to do

Thanks for all your help so far :)

sisco311
August 6th, 2009, 01:19 PM
mkpasswd -m sha-512 password NU7T6629
where password is the password entered by the user
and NU7T6629 is the salt from /etc/shadow

Jose Catre-Vandis
August 6th, 2009, 01:40 PM
Will this have any impact on the existing password?

unutbu
August 6th, 2009, 01:45 PM
No, it just returns a string. For example,

mkpasswd -m sha-512 password NU7T6629NU7T6629
$6$NU7T6629NU7T6629$BaKyvMTWu.H0jiZELdCQrDTkNgljkx 7rvyg7NoozLZszsrEtx5.SsWNE385xz4TgQ7RClBkeWTMiIgh6 d4x1B1

(For sha-512, the salt has to be 16 bytes)
Edit: sha-512 can have variable salt lengths, but mkpasswd in pre-Ubuntu 9.10 does not support them. See http://ubuntuforums.org/showpost.php?p=7348969&postcount=13

sisco311
August 6th, 2009, 01:46 PM
never mind :)

Jose Catre-Vandis
August 6th, 2009, 01:48 PM
Yes, this works, I tested it with a 16 character SALT, but my SALT is 10 characters and not 8 ??


hPC.6/DqBy

so I am not getting a matching hash as a result, and mypasswd complains about the wrong number of characters

EDIT:

I see there is a bug in mypasswd that cannot cope with variable length salts. Am I stuffed or is there another way?

sisco311
August 6th, 2009, 02:33 PM
python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALT\$')"

Jose Catre-Vandis
August 6th, 2009, 02:59 PM
Yay - success :)

Many thanks for all your help :)

lswb
August 6th, 2009, 03:28 PM
Make sure you save the other users password somewhere so you can impersonate them later!