mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
Check passwds hashed w/ 'yescrypt' etc too, in /etc/shadow
This commit is contained in:
parent
fa928289fa
commit
029778139b
2 changed files with 22 additions and 12 deletions
|
@ -24,12 +24,17 @@ check_user_pwd() {
|
||||||
# (read access to /etc/shadow is otherwise restricted to just root and
|
# (read access to /etc/shadow is otherwise restricted to just root and
|
||||||
# group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561
|
# group www-data i.e. Apache, NGINX get special access). SEE: #2431, #2561
|
||||||
|
|
||||||
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
# 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
|
||||||
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
# This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
|
||||||
meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
|
||||||
salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
[[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
|
||||||
hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
|
||||||
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
# # $meth (hashing method) is typically '6' which implies 5000 rounds
|
||||||
|
# # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
||||||
|
# meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||||
|
# salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||||
|
# hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||||
|
# [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
|
#grep -q "^PasswordAuthentication\s\+no\b" /etc/ssh/sshd_config && return
|
||||||
|
|
|
@ -23,12 +23,17 @@ check_user_pwd() {
|
||||||
# enough when user does not exist. Or uncomment to FORCE ERROR CODE 2.
|
# enough when user does not exist. Or uncomment to FORCE ERROR CODE 2.
|
||||||
# Either way, overall bash script still returns exit code 0 ("success").
|
# Either way, overall bash script still returns exit code 0 ("success").
|
||||||
|
|
||||||
# $meth (hashing method) is typically '6' which implies 5000 rounds
|
# 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949)
|
||||||
# of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
# This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH
|
||||||
meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
field2=$(grep "^$1:" /etc/shadow | cut -d: -f2)
|
||||||
salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
[[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]]
|
||||||
hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
|
||||||
[ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
# # $meth (hashing method) is typically '6' which implies 5000 rounds
|
||||||
|
# # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
|
||||||
|
# meth=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
|
||||||
|
# salt=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
|
||||||
|
# hash=$(grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
|
||||||
|
# [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
# 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking
|
# 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue