I want to check if my root password is a certain text.

For example, I want to check if my root password is MyPWD123.

To put some context to this question, I want to write a script where I will check if my root password is lets say MyPWD!23. I want to run the script just before login and would like to immediately shut down my PC if the root password is not MyPWD123.

How can I do that?

Well, if you are talking about remote access you are setting yourself up for an automatic denial of service situation as the root account gets knocked on continuously while connected to the net.

However, to address your question, I would say you could write something hooked into your system's Pluggable Authentication Modules (PAM). It would be a kludge though.

Perhaps someone knows of a way to do it but I'm not sure how you run a script before logging in. Is a command interpreter running and associated with a tty that could run a script before anyone's logged in? Don't think so.

Q: Can you define a boot password for this system? I'm not a big fan of boot passwords but I suppose they have their uses. I would think that using a sufficiently difficult root password, disallowing the root account from logging in except on the system console, and controlling "sudo" access would suffice. Just my US$0.02.

If that's not possible or sufficient, my guess is that someone (read: not me) could do that by setting up a special PAM configuration "rule" to handle a password failure for the root account. Caveat: I've never done this but if you're trying to hook into the login process and deal with a password failure, I'm pretty certain that the PAM subsystem would be the place to do it.

Note: When I did some reading about tweaking PAM configuration file(s), writing custom rules, etc., I saw warnings about how a mistake could render the system inaccessible. Proceed with caution. I would back up everything you might be touching in "/etc/pam.d" -- heck, I'm paranoid... I'd backup up the entire "/etc/pam.d" directory tree just to be sure before modifying anything -- and make sure you have a way to boot using some emergency media so you could mount your "/" filesystem and restore that tree from your backup.

Good luck...

first I would try it on another user and on a different script (which will not do anything harmful).

you can do something like that: generate password hash from MyPWD123 and check if root has the same password hash. https://unix.stackexchange.com/quest...for-etc-shadow
you can also make some actions on failed login attempts.
You can (for example) completely disable remote [ssh] login for root.

For me it looks like you have a problem and you want to solve it in a wrong way. Probably would be better to explain the original issue.

I agree with pan64. Please review the X Y Problem link in my signature and then state the problem you're trying to solve instead of asking how to do what you think the solution is.

2 members found this post helpful.

So you want a script that will shut down the computer when someone types in the wrong password?
Not sure how having the computer shutdown will be helpful, but you should look at some of the SSH scripts that set up iptable rules to block an IP that fails to login after a few attempts. You should be able to modify them to shutdown instead of set an iptable rule.

Good, if you are asking about remote access as the root account gets closed while connected to the net.I would say you could write something hooked into your system.

I don't understand the question. Is this asking that an incorrect passwords result in a shutdown? Or that, before passwords are evaluated they are matched against some stored password? The latter seems impossible to me, the former simply foolish.

I'm pretty confused by your question (as are others). :\

But, solving this problem should be something like-- generate a password hash of the password you are looking for (using information from pan64's link). Then, your script should simply acquire the password hash from the system you are logging in on and compare it to the hash you generated. If the system hash is different than the password hash you created, shut down the system.

Re: generating a hash and comparing it to the stored hash

It is my understanding that the passwd command uses a random salt value to generate the password hash, so manually generating a hash is unlikely to match the stored hash. Is that not correct?

One could copy the stored hash from /etc/shadow and save it off someplace for comparison, I suppose, but that seems like a major security risk to me.

I'm gonna repeat my question to the OP: What problem, exactly, are you trying to solve?

1 members found this post helpful.

Correct - hashes are useless without a salt because a given hash algorithm always produces the same digest from the same plaintext. There is also no way to tell what a password IS, and there should never be, because only the original user should know it. The system needs to know whether it matches what is stored, but that's all. Perhaps OP wants to know if it changed, which is a different story, but they have not answered so who knows.

The salt is also stored in the hash file.

I've already written a script that acquires a user password and checks if it matches a hashed password (thus I know this can be done). This is the same way a login works. Without the salt, determining if a user entered a password correctly would be nearly impossible.

The password hash on a system is typically secured with 600 permissions. Copying a hash to a separate file can overcome this (or, simply changing the permissions of the hash file). This is a minor security risk. But, I mean-- brute force is the only way to crack a password from a hash. This is true whether a user has a hash or attempting brute force from a login. Without the original password, a hash is basically worthless. That's the whole point of having one.

Hashes are not reversible so you mean comparing hashes. There is no way to retrieve a password from a hash other than by comparing the hash of a known plaintext password, but then the salt is not taken into consideration.

Sounds to me like they're trying to basically make a suicide linux but not quite so brutal.

1 members found this post helpful.

Again-- store a hashed version of the password you would like to check for. If it does not match the system hash (checked right before login as originally requested), shut down the machine. Not sure how this could be accomplished without taking the salt into consideration? :/