Given a linux username and a password how can I test if it is a valid account? [closed] - McMap

About

Given a linux username and a password how can I test if it is a valid account? [closed]

Asked 3/8, 2013 at 16:45 Answered 16/10, 2018 at 4:6

Solved linux hash passwords crypt

T

2

60

So my question is straight forward given a linux username and a password how can I test if it is a valid account?

Tracery answered 3/8, 2013 at 16:45 Comment(2)

You attempt to log in with them. If you're in, then the combo was valid. – Bummalo 3/8, 2013 at 16:52

Here is an example of C-language function how to check username and password https://mcmap.net/q/330512/-how-to-check-password-in-linux-by-using-c-or-shell – Joon 30/7, 2020 at 12:26

R

96

You can validate that a given password is correct for a given username using the shadow file.

On most modern distributions, the hashed passwords are stored in the shadow file /etc/shadow (which is only readable by root). As root, pull the line from the shadow file for the given user like so:

cat /etc/shadow | grep username

You will see something like this:

username:$1$TrOIigLp$PUHL00kS5UY3CMVaiC0/g0:15020:0:99999:7:::

After the username there is $1. This indicates that it is an MD5 hash. After that there is another $, then (in this case) TrOIigLp followed by another $. TrOIigLp is the salt. After that is the hashed password, which was hashed using the salt - in this case PUHL00kS5UY3CMVaiC0/g0.

Now, you can use openssl to hash the given password using the same salt, like so:

openssl passwd -1 -salt TrOIigLp

Enter the given password when prompted, the openssl command should compute the MD5 hash using the salt provided, and it should be exactly the same as the above from the shadow file. The -1 in the above command is for MD5 hashing.

Rew answered 3/8, 2013 at 17:10 Comment(16)

Thanks for the info. I was unaware of the parts of shadow file second field. Now I can even use the crypt() function...great answer. – Tracery 3/8, 2013 at 17:34

@Rew do you mean cat /etc/shadow | grep username or even grep username /etc/shadow? – Palladin 13/2, 2014 at 16:48

Russell, thanks for the correction. Yes, it should have been cat, not echo. I've edited the answer. – Rew 13/2, 2014 at 16:50

getent shadow $user is even shorter … – Glidden 2/6, 2015 at 11:52

Hi, the -1 in openssl passwd -1 -salt TrOIigLp stands for MD5 hashing, if I have, instead, SHA-512 hashing is it possible to check the hashing with openssl? Have I to use another command instead? – Mousetail 8/7, 2015 at 8:37

See unix.stackexchange.com/questions/52108/… – Rew 8/7, 2015 at 10:2

The above link provided by mti2935 does not indicate how to include a salt. Another link with method to obtain the hash for a SHA-512 password with salt is here: unix.stackexchange.com/a/210146/81811 – Whaley 4/11, 2017 at 22:52

Mine has username:$6$ – Variolous 10/11, 2017 at 22:15

@BrunoBronosky $6$ indicates a sha512 hash. See this answer for how to generate/check the hash. – Unchaste 10/7, 2018 at 11:32

@Mousetail openssl -1 for $1 and openssl -6 for $6 – Mier 31/7, 2020 at 0:15

mine has root:::0:99999:7:::. How do we interpret this? – Joke 14/1, 2021 at 10:42

@Joke That probably indicates that no password was ever set for the root user. I believe Ubuntu does this by default. In that case, the only way to become root is to log on as an ordinary user, and then use sudo. If the ordinary user isn't in the sudoers file, you can't become root (of course, you could still use rescue mode). Caveat: man shadow says that an empty password field means that you can log on without a password, unless the application decides otherwise. So this is not a secure way to prevent logins. – Interaction 1/4, 2022 at 16:29

@Mier - -6 is not a valid option. – Cardoza 31/3, 2023 at 4:54

Instead of using grep, you should really use the much better getent shadow username command. If you really want to grep the "shadow" file for "username", it should be at least as grep '^username:' so that it searches the string in the right pace. Otherwise, with short usernames, you may get lots of garbage. – Alien 10/12, 2023 at 21:30

@SubhashPrajapati It is in my version of openssl: 1.1.1f – Chobot 15/4 at 13:51

This doesn't work if the name service switch has different sources for users specified. – Agglutinogen 22/4 at 10:43

S

2

If you are concerned about security (which you should be), the accepted answer represents a security risk by leaving the plaintext password in the ~/.bash_history file. With this in mind, it would be better to try logging in, or perhaps removing this entry from the ~/.bash_history.

Soares answered 16/10, 2018 at 4:6 Comment(1)

The accepted answer does not leave a plaintext password in the ~/.bash_history. However, attempting to login does seem the better way, since you may not have sudo access in order to read /etc/shadow. – Adriannaadrianne 5/6, 2019 at 22:52

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.