I need to check if an account has a valid password.
Would something like this work?
read ACCNAME
if grep -q "^$ACCNAME:\$6:" /etc/shadow; then
I noticed every entry in my shadow file that has a password starts with $6 ... it works for my current setup, but would it always work? I can't test for ^$ACCNAME:: since !! is locked and !! has no password.
Thanks!
From man 5 shadow
...
encrypted password
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid
result of crypt(3), for instance ! or *, the user will not be able
to use a unix password to log in (but the user may log in the
system by other means).
This field may be empty, in which case no passwords are required to
authenticate as the specified login name. However, some
applications which read the /etc/shadow file may decide not to
permit any access at all if the password field is empty.
A password field which starts with a exclamation mark means that
the password is locked. The remaining characters on the line
represent the password field before the password was locked.
...
From man 3 crypt:
...
Glibc Notes
The glibc2 version of this function supports additional encryption
algorithms.
If salt is a character string starting with the characters "$id$" fol-
lowed by a string terminated by "$":
$id$salt$encrypted
then instead of using the DES machine, id identifies the encryption
method used and this then determines how the rest of the password
string is interpreted. The following values of id are supported:
ID | Method
---------------------------------------------------------
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
So $5$salt$encrypted is an SHA-256 encoded password and
$6$salt$encrypted is an SHA-512 encoded one.
...
"salt" stands for the up to 16 characters following "$id$" in the salt.
The encrypted part of the password string is the actual computed pass-
word. The size of this string is fixed:
MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters
The characters in "salt" and "encrypted" are drawn from the set
[a-zA-Z0-9./]. In the MD5 and SHA implementations the entire key is
significant (instead of only the first 8 bytes in DES).
...
So don't look for !*, look for anything except [0-9a-zA-Z./$] in that field
What would be my best approach right now since I want to search for something that starts with
"^$ACCNAME:"
and doesn't end with
[0-9a-zA-Z./$]
but from what I see that's for the second field only.
"^${ACCNAME}:[^0-9a-zA-Z./\$]" ?
1 Like
I forgot that if it didn't match it means that there is indeed a password. Forgive my noobiness!
Still working on my grasp of regexs.
Thanks for your help Corona688!