[SOLVED] Check if my root password is a Certain Text
Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to check if my root password is a certain text.
For example, I want to check if my root password is MyPWD123.
To put some context to this question, I want to write a script where I will check if my root password is lets say MyPWD!23. I want to run the script just before login and would like to immediately shut down my PC if the root password is not MyPWD123.
Well, if you are talking about remote access you are setting yourself up for an automatic denial of service situation as the root account gets knocked on continuously while connected to the net.
However, to address your question, I would say you could write something hooked into your system's Pluggable Authentication Modules (PAM). It would be a kludge though.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,812
Rep:
Quote:
Originally Posted by blueray
I want to check if my root password is a certain text.
For example, I want to check if my root password is MyPWD123.
To put some context to this question, I want to write a script where I will check if my root password is lets say MyPWD!23. I want to run the script just before login and would like to immediately shut down my PC if the root password is not MyPWD123.
How can I do that?
Perhaps someone knows of a way to do it but I'm not sure how you run a script before logging in. Is a command interpreter running and associated with a tty that could run a script before anyone's logged in? Don't think so.
Q: Can you define a boot password for this system? I'm not a big fan of boot passwords but I suppose they have their uses. I would think that using a sufficiently difficult root password, disallowing the root account from logging in except on the system console, and controlling "sudo" access would suffice. Just my US$0.02.
If that's not possible or sufficient, my guess is that someone (read: not me) could do that by setting up a special PAM configuration "rule" to handle a password failure for the root account. Caveat:I've never done this but if you're trying to hook into the login process and deal with a password failure, I'm pretty certain that the PAM subsystem would be the place to do it.
Note: When I did some reading about tweaking PAM configuration file(s), writing custom rules, etc., I saw warnings about how a mistake could render the system inaccessible. Proceed with caution. I would back up everything you might be touching in "/etc/pam.d" -- heck, I'm paranoid... I'd backup up the entire "/etc/pam.d" directory tree just to be sure before modifying anything -- and make sure you have a way to boot using some emergency media so you could mount your "/" filesystem and restore that tree from your backup.
first I would try it on another user and on a different script (which will not do anything harmful).
you can do something like that: generate password hash from MyPWD123 and check if root has the same password hash. https://unix.stackexchange.com/quest...for-etc-shadow
you can also make some actions on failed login attempts.
You can (for example) completely disable remote [ssh] login for root.
For me it looks like you have a problem and you want to solve it in a wrong way. Probably would be better to explain the original issue.
I agree with pan64. Please review the X Y Problem link in my signature and then state the problem you're trying to solve instead of asking how to do what you think the solution is.
Distribution: Ubuntu based stuff for the most part
Posts: 1,177
Rep:
So you want a script that will shut down the computer when someone types in the wrong password?
Not sure how having the computer shutdown will be helpful, but you should look at some of the SSH scripts that set up iptable rules to block an IP that fails to login after a few attempts. You should be able to modify them to shutdown instead of set an iptable rule.
Good, if you are asking about remote access as the root account gets closed while connected to the net.I would say you could write something hooked into your system.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I don't understand the question. Is this asking that an incorrect passwords result in a shutdown? Or that, before passwords are evaluated they are matched against some stored password? The latter seems impossible to me, the former simply foolish.
I'm pretty confused by your question (as are others). :\
But, solving this problem should be something like-- generate a password hash of the password you are looking for (using information from pan64's link). Then, your script should simply acquire the password hash from the system you are logging in on and compare it to the hash you generated. If the system hash is different than the password hash you created, shut down the system.
Re: generating a hash and comparing it to the stored hash
It is my understanding that the passwd command uses a random salt value to generate the password hash, so manually generating a hash is unlikely to match the stored hash. Is that not correct?
One could copy the stored hash from /etc/shadow and save it off someplace for comparison, I suppose, but that seems like a major security risk to me.
I'm gonna repeat my question to the OP: What problem, exactly, are you trying to solve?
Correct - hashes are useless without a salt because a given hash algorithm always produces the same digest from the same plaintext. There is also no way to tell what a password IS, and there should never be, because only the original user should know it. The system needs to know whether it matches what is stored, but that's all. Perhaps OP wants to know if it changed, which is a different story, but they have not answered so who knows.
I've already written a script that acquires a user password and checks if it matches a hashed password (thus I know this can be done). This is the same way a login works. Without the salt, determining if a user entered a password correctly would be nearly impossible.
The password hash on a system is typically secured with 600 permissions. Copying a hash to a separate file can overcome this (or, simply changing the permissions of the hash file). This is a minor security risk. But, I mean-- brute force is the only way to crack a password from a hash. This is true whether a user has a hash or attempting brute force from a login. Without the original password, a hash is basically worthless. That's the whole point of having one.
Hashes are not reversible so you mean comparing hashes. There is no way to retrieve a password from a hash other than by comparing the hash of a known plaintext password, but then the salt is not taken into consideration.
Re: generating a hash and comparing it to the stored hash
It is my understanding that the passwd command uses a random salt value to generate the password hash, so manually generating a hash is unlikely to match the stored hash. Is that not correct?
One could copy the stored hash from /etc/shadow and save it off someplace for comparison, I suppose, but that seems like a major security risk to me.
I'm gonna repeat my question to the OP: What problem, exactly, are you trying to solve?
Sounds to me like they're trying to basically make a suicide linux but not quite so brutal.
Hashes are not reversible so you mean comparing hashes. There is no way to retrieve a password from a hash other than by comparing the hash of a known plaintext password, but then the salt is not taken into consideration.
Again-- store a hashed version of the password you would like to check for. If it does not match the system hash (checked right before login as originally requested), shut down the machine. Not sure how this could be accomplished without taking the salt into consideration? :/
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.