OpenSuSE Tumbleweed – testing the password of any user with getent and openssl

For one of my VMs I forgot to note which of the initial password I had changed, so I wanted to check them.

Since I didn’t have a keyboard attached to the console and ssh wasn’t allowing root, I needed an alternative than actual login to test the passwords.

Luckily /etc/shadow, with getent and openssl came to the rescue.

Since getent varies per distribution, here is how it works on OpenSuSE:

statler:/etc # getent --help
Usage: getent [OPTION...] database [key ...]
Get entries from administrative database.

  -i, --no-idn               disable IDN encoding
  -s, --service=CONFIG       Service configuration to be used
  -?, --help                 Give this help list
      --usage                Give a short usage message
  -V, --version              Print program version

Mandatory or optional arguments to long options are also mandatory or optional
for any corresponding short options.

Supported databases:
ahosts ahostsv4 ahostsv6 aliases ethers group gshadow hosts initgroups
netgroup networks passwd protocols rpc services shadow

For bug reporting instructions, please see:
<http://bugs.opensuse.org>.

As $username is empty when you SUDO to root level, I’ve opted for this to get the relevant entry from the /etc/shadow database:

getent shadow $(whoami)

On a default OpenSuSE for Raspberry Pi installation (that has linux as password for user root) it will show  something like this:

root:$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0:17033::::::

Here the $1 means that it uses passwd hashing algorithm 1 (MD5) which nicely corresponds to the -1 parameter to openssh passwd [WayBack] if you use openssh 1.1.0. I’ve only seen algorithms 1 (MD5) and 6 (SHA-512).

If you have an older openssl, then you can use mkpasswd from the whois package: hashsum – /etc/shadow : how to generate $6$ ‘s encrypted password? – Unix & Linux Stack Exchange [WayBack]

This is how you split it first by semicolon, then by dollar with a multi-line awk command inside bash [WayBack]:

function verify-password-for-whoami()
{
  awkcommand='
    {
      split($2, hash, "$"); 
      algorithms[1] = "MD5"; 
      algorithms[5] = "SHA-256"; 
      algorithms[6] = "SHA-512"; 
      print "username        " $1
      print "algorithm index " hash[2]
      print "algorithm name  " algorithms[hash[2]]
      print "salt            " hash[3]
      print "hash            " hash[4]
      if (hash[2] == 1 || hash[2] == 5 || hash[2] == 6)
      {
        if (hash[2] == 1)
          system("openssl passwd -" hash[2] " -salt " hash[3])
        else
          system("mkpasswd -m " algorithms[hash[2]] " --salt " hash[3])
        print "verify above outcome against"
        print $2
      }
      else
        print "has algorithm " hash[2] " is not supported"
    }
'
  getent shadow $(whoami) | awk -F':' "$awkcommand"
}

For a stock OpenSuSE Tumbleweed for Raspberry Pi you get this when entering linux as password:

# verify-password-for-whoami 
username        root
algorithm index 1
algorithm name  MD5
salt            wYJUgpM5
hash            RXMMeASDc035eX.NbYWFl0
Password: 
$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0
verify above outcome against
$1$wYJUgpM5$RXMMeASDc035eX.NbYWFl0

–jeroen

via: hash – Given a linux username and a password how can I test if it is a valid account? – Stack Overflow [WayBack]