how to check for valid password

ADay2Long · December 8, 2011, 1:45pm

I need to check if an account has a valid password.

Would something like this work?

read ACCNAME
if grep -q "^$ACCNAME:\$6:" /etc/shadow; then

I noticed every entry in my shadow file that has a password starts with $6 ... it works for my current setup, but would it always work? I can't test for ^$ACCNAME:: since !! is locked and !! has no password.

Thanks!

Corona688 · December 8, 2011, 1:53pm

From man 5 shadow

...

       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid
           result of crypt(3), for instance ! or *, the user will not be able
           to use a unix password to log in (but the user may log in the
           system by other means).

           This field may be empty, in which case no passwords are required to
           authenticate as the specified login name. However, some
           applications which read the /etc/shadow file may decide not to
           permit any access at all if the password field is empty.

           A password field which starts with a exclamation mark means that
           the password is locked. The remaining characters on the line
           represent the password field before the password was locked.

...

From man 3 crypt:

...
   Glibc Notes
       The glibc2 version of  this  function  supports  additional  encryption
       algorithms.

       If  salt is a character string starting with the characters "$id$" fol-
       lowed by a string terminated by "$":

              $id$salt$encrypted

       then instead of using the DES machine,  id  identifies  the  encryption
       method  used  and  this  then  determines  how the rest of the password
       string is interpreted.  The following values of id are supported:

              ID  | Method
              ---------------------------------------------------------
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)

       So   $5$salt$encrypted   is   an   SHA-256   encoded    password    and
       $6$salt$encrypted is an SHA-512 encoded one.

...

      "salt" stands for the up to 16 characters following "$id$" in the salt.
       The encrypted part of the password string is the actual computed  pass-
       word.  The size of this string is fixed:

       MD5     | 22 characters
       SHA-256 | 43 characters
       SHA-512 | 86 characters

       The  characters  in  "salt"  and  "encrypted"  are  drawn  from the set
       [a-zA-Z0-9./].  In the MD5 and SHA implementations the  entire  key  is
       significant (instead of only the first 8 bytes in DES).

...

So don't look for !*, look for anything except [0-9a-zA-Z./$] in that field

ADay2Long · December 8, 2011, 5:11pm

What would be my best approach right now since I want to search for something that starts with

"^$ACCNAME:"

and doesn't end with

[0-9a-zA-Z./$]

but from what I see that's for the second field only.

Corona688 · December 8, 2011, 5:51pm

"^${ACCNAME}:[^0-9a-zA-Z./\$]" ?

ADay2Long · December 8, 2011, 11:35pm

I forgot that if it didn't match it means that there is indeed a password. Forgive my noobiness!

Still working on my grasp of regexs.

Thanks for your help Corona688!