OpenSuSE Tumbleweed – testing the password of any user with getent and openssl
Posted by jpluimers on 2017/06/21
For one of my VMs I forgot to note which of the initial password I had changed, so I wanted to check them.
Since I didn’t have a keyboard attached to the console and ssh wasn’t allowing root, I needed an alternative than actual login to test the passwords.
Luckily /etc/shadow, with getent and openssl came to the rescue.
Since getent varies per distribution, here is how it works on OpenSuSE:
statler:/etc # getent --help
Usage: getent [OPTION...] database [key ...]
Get entries from administrative database.
-i, --no-idn disable IDN encoding
-s, --service=CONFIG Service configuration to be used
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.
Supported databases:
ahosts ahostsv4 ahostsv6 aliases ethers group gshadow hosts initgroups
netgroup networks passwd protocols rpc services shadow
For bug reporting instructions, please see:
<http://bugs.opensuse.org>.
As $username is empty when you SUDO to root level, I’ve opted for this to get the relevant entry from the /etc/shadow database:
getent shadow $(whoami)
On a default OpenSuSE for Raspberry Pi installation (that has linux as password for user root) it will show something like this:
root:$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0:17033::::::
Here the $1 means that it uses passwd hashing algorithm 1 (MD5) which nicely corresponds to the -1 parameter to openssh passwd [WayBack] if you use openssh 1.1.0. I’ve only seen algorithms 1 (MD5) and 6 (SHA-512).
If you have an older openssl, then you can use mkpasswd from the whois package: hashsum – /etc/shadow : how to generate $6$ ‘s encrypted password? – Unix & Linux Stack Exchange [WayBack]
This is how you split it first by semicolon, then by dollar with a multi-line awk command inside bash [WayBack]:
function verify-password-for-whoami()
{
awkcommand='
{
split($2, hash, "$");
algorithms[1] = "MD5";
algorithms[5] = "SHA-256";
algorithms[6] = "SHA-512";
print "username " $1
print "algorithm index " hash[2]
print "algorithm name " algorithms[hash[2]]
print "salt " hash[3]
print "hash " hash[4]
if (hash[2] == 1 || hash[2] == 5 || hash[2] == 6)
{
if (hash[2] == 1)
system("openssl passwd -" hash[2] " -salt " hash[3])
else
system("mkpasswd -m " algorithms[hash[2]] " --salt " hash[3])
print "verify above outcome against"
print $2
}
else
print "has algorithm " hash[2] " is not supported"
}
'
getent shadow $(whoami) | awk -F':' "$awkcommand"
}
For a stock OpenSuSE Tumbleweed for Raspberry Pi you get this when entering linux as password:
# verify-password-for-whoami username root algorithm index 1 algorithm name MD5 salt wYJUgpM5 hash RXMMeASDc035eX.NbYWFl0 Password: $1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0 verify above outcome against $1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0
–jeroen
via: hash – Given a linux username and a password how can I test if it is a valid account? – Stack Overflow [WayBack]
The Wiert Corner - irregular stream of stuff 
Leave a comment