From 8ed159b5c2c181bed53128d32bc1b7dbfeab2f3d Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 20 Sep 2022 21:08:38 -0400 Subject: [PATCH] sshpwd-profile-iiab.sh.j2: sudo to verify /etc/shadow --- roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 index 24d87886c..7cea14c41 100755 --- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 +++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh.j2 @@ -16,7 +16,8 @@ check_user_pwd() { #[ $(id -un) = "root" ] || return 2 #[ $(id -un) = "root" ] || [ $(id -un) = "iiab-admin" ] || return 2 - [ -r /etc/shadow ] || return 2 # FORCE ERROR if /etc/shadow not readable + + #[ -r /etc/shadow ] || return 2 # FORCE ERROR if /etc/shadow not readable # *BUT* overall bash script still returns exit code 0 ("success"). #id -u $1 > /dev/null 2>&1 || return 2 # Not needed if return 1 is good @@ -25,7 +26,7 @@ check_user_pwd() { # 2021-08-28: New OS's use 'yescrypt' so use Perl instead of Python (#2949) # This also helps avoid parsing the (NEW) 4th sub-field in $y$j9T$SALT$HASH - field2=$(grep "^$1:" /etc/shadow | cut -d: -f2) + field2=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2) || return 2 # TRY TO FORCE ERROR if /etc/shadow not readable even with sudo [[ $(perl -e "print crypt('$2', '$field2')") == $field2 ]] # # $meth (hashing method) is typically '6' which implies 5000 rounds