It's time to create a bash script that will take inputs - Username and Password, from the user and validate if the username-password combination is correct. There will be two essential steps involved in this script- check if username is valid and in case username is valid, check if password associated with that username is valid.
Let's start scripting!
1. Check if username is valid
This, surely, is the easier part of the script. Validating a user is very straight-forward, as you can use
id command with option -u or read /etc/passwd (using 'grep' command) file to do so (Read about /etc/passwd file format here). If the exit status is "0", then it's a valid user, else it's not. For those who are new to bash scripting- Exit status can be checked using echo $?.Let's check the validity of the user '
mandar'MyLinuxBox root ~ > grep mandar /etc/passwd
mandar:x:500:500:Mandar Shinde:/home/mandar:/bin/bash
MyLinuxBox root ~ > id -u mandar
500
MyLinuxBox root ~ > echo $?
0
MyLinuxBox root ~ > grep -w mandar /etc/passwd
mandar:x:500:500:Mandar Shinde:/home/mandar:/bin/bash
MyLinuxBox root ~ > echo $?
0
mandar' exists and the same is assured by checking the exit status of the id -u mandar and grep -w "mandar" /etc/passwd command.Lets check if there is any user '
shinde' (there isn't any).MyLinuxBox root ~ > id -u shinde
id: shinde: No such user
MyLinuxBox root ~ > echo $?
1
MyLinuxBox root ~ > grep -w shinde /etc/passwd
MyLinuxBox root ~ > echo $?
1
2. Check if Password is valid
Now, let's suppose that, the username is valid and next step will be verifying the password. If you had read our article on
/etc/shadow file format, you would have understood what I will be explaining here.
This file stores the passwords in encrypted format, for every user, on a separate line. Besides the hashed passwords, it stores other details also, from which we need to extract the password for comparison.
/etc/shadow stores these details delimited with a colon (:) as below:mandar:$6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.:16431:0:99999:7:::
mysql:!!:16550::::::
nagios:$6$P9zn0KwR$tgfvvFWJJ5FKmoXiP5rXWOjwoEBOEoAuBi3EphRbJqqjWYvhEM2wa67L9XgQ7W591FxUNklkDIQsk4kijuhE50:16632:0:99999:7:::
grep' command as below:MyLinuxBox root ~ > grep -w mandar /etc/shadow | cut -d: -f2
$6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.
/etc/shadow file. Read /etc/shadow file format for more details on how encrypted passwords are stored in this file.The Encrypted Password
The field #2 in each line entry is the encrypted password. But, how this password is generated, we'll learn in this portion of the article. Let's just rewrite the encrypted password here-$6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.
Let's break this encrypted password in some parts, across the dollar ($) sign, to understand it better.
$6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.
|1|-------2--------|-----------------------------------------3--------------------------------------------|
--------------------
| 1 | MD5 |
--------------------
| 2 | Blowfish |
--------------------
| 2a | eksBlowfish |
--------------------
| 5 | SHA-256 |
--------------------
| 6 | SHA-512 |
--------------------
3. Password: This field stores the hashed version of the combination of original password and salt value.
Considering that user has provided the password, say
mandar, we will try to create hashed value using the password entered by the user, the salt value (6) and the hashing algorithm (SHA-512) as below:Syntax of the command is as follows:
perl -e 'print crypt("<PASSWORD>","\$<HASH-ALGO>\$<SALT-VALUE>\$") . "\n"'
<HASH-ALGO> = 6<PASSWORD> = mandar<SALT-VALUE> = 5H0QpwprRiJQR19YLets run the command now.
MyLinuxBox root ~ > perl -e 'print crypt("mandar","\$6\$5H0QpwprRiJQR19Y\$") . "\n"'
$6$5H0QpwprRiJQR19Y$bXGOh7dIfOWpUb/Tuqr7yQVCqL3UkrJns9.7msfvMg4ZO/PsFC5Tbt32PXAw9qRFEBs1254aLimFeNM8YsYOv.
/etc/shadow file, then we can confirm that the password entered by the user is correct.Bash Script:
#!/bin/bash
read -p "Enter the Username: " USERNAME
id -u $USERNAME > /dev/null
if [ $? -ne 0 ]
then
echo "User $USERNAME is not valid"
exit 1
else
echo "Enter the Password:"
read -s PASSWD
export PASSWD
ORIGPASS=`grep -w "$USERNAME" /etc/shadow | cut -d: -f2`
export ALGO=`echo $ORIGPASS | cut -d'$' -f2`
export SALT=`echo $ORIGPASS | cut -d'$' -f3`
GENPASS=$(perl -le 'print crypt("$ENV{PASSWD}","\$$ENV{ALGO}\$$ENV{SALT}\$")')
if [ "$GENPASS" == "$ORIGPASS" ]
then
echo "Valid Username-Password Combination"
exit 0
else
echo "Invalid Username-Password Combination"
exit 1
fi
fi
MyLinuxBox root ~ > ./usrpasschk.sh
Enter the Username: mandar
Enter the Password:
Valid Username-Password Combination
MyLinuxBox root ~ > ./usrpasschk.sh
Enter the Username: mandar
Enter the Password:
Invalid Username-Password Combination
MyLinuxBox root ~ > ./usrpasschk.sh
Enter the Username: shinde
id: shinde: No such user
User shinde is not valid
Nice, however works only with stand-alone systems.
ReplyDeleteWhen ldap connected - wont't work.
Consider getent command to retreive proper information.
you may want to look at the getent command as well, rather than grub through /etc/passwd and /etc/shadow directly
ReplyDeleteThank you!
ReplyDeleteWorks well, very useful!