The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,799 other followers

OpenSuSE Tumbleweed – testing the password of any user with getent and openssl

Posted by jpluimers on 2017/06/21

For one of my VMs I forgot to note which of the initial password I had changed, so I wanted to check them.

Since I didn’t have a keyboard attached to the console and ssh wasn’t allowing root, I needed an alternative than actual login to test the passwords.

Luckily /etc/shadow, with getent and openssl came to the rescue.

Since getent varies per distribution, here is how it works on OpenSuSE:

statler:/etc # getent --help
Usage: getent [OPTION...] database [key ...]
Get entries from administrative database.

  -i, --no-idn               disable IDN encoding
  -s, --service=CONFIG       Service configuration to be used
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Supported databases:
ahosts ahostsv4 ahostsv6 aliases ethers group gshadow hosts initgroups
netgroup networks passwd protocols rpc services shadow

For bug reporting instructions, please see:

As $username is empty when you SUDO to root level, I’ve opted for this to get the relevant entry from the /etc/shadow database:

getent shadow $(whoami)

On a default OpenSuSE for Raspberry Pi installation (that has linux as password for user root) it will show  something like this:


Here the $1 means that it uses passwd hashing algorithm 1 (MD5) which nicely corresponds to the -1 parameter to openssh passwd [WayBack] if you use openssh 1.1.0. I’ve only seen algorithms 1 (MD5) and 6 (SHA-512).

If you have an older openssl, then you can use mkpasswd from the whois package: hashsum – /etc/shadow : how to generate $6$ ‘s encrypted password? – Unix & Linux Stack Exchange [WayBack]

This is how you split it first by semicolon, then by dollar with a multi-line awk command inside bash [WayBack]:

function verify-password-for-whoami()
      split($2, hash, "$"); 
      algorithms[1] = "MD5"; 
      algorithms[5] = "SHA-256"; 
      algorithms[6] = "SHA-512"; 
      print "username        " $1
      print "algorithm index " hash[2]
      print "algorithm name  " algorithms[hash[2]]
      print "salt            " hash[3]
      print "hash            " hash[4]
      if (hash[2] == 1 || hash[2] == 5 || hash[2] == 6)
        if (hash[2] == 1)
          system("openssl passwd -" hash[2] " -salt " hash[3])
          system("mkpasswd -m " algorithms[hash[2]] " --salt " hash[3])
        print "verify above outcome against"
        print $2
        print "has algorithm " hash[2] " is not supported"
  getent shadow $(whoami) | awk -F':' "$awkcommand"

For a stock OpenSuSE Tumbleweed for Raspberry Pi you get this when entering linux as password:

# verify-password-for-whoami 
username        root
algorithm index 1
algorithm name  MD5
salt            wYJUgpM5
hash            RXMMeASDc035eX.NbYWFl0
verify above outcome against


via: hash – Given a linux username and a password how can I test if it is a valid account? – Stack Overflow [WayBack]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: