3

Related to Why is the root password on Linux Mint my user password?

It appears that my Mint 17.3 box has a root password set: I see a password hash in /etc/shadow (it starts with $6$...). I'd like to compare this password hash with my (known) user password.

For whatever reason, I don't trust su - (in the linked question) to not use my password, vs. the root password.

Is there a simple way (in bash, e.g.) to compare a known hash with a known password and see if they match?

  • Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: https://unix.stackexchange.com/q/52108/46851 – Roger Lipscombe Nov 29 '17 at 10:35
  • If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct? – Kusalananda Nov 29 '17 at 11:13
  • No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way. – Roger Lipscombe Nov 29 '17 at 11:18
  • For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure. – Roger Lipscombe Nov 29 '17 at 11:19
  • No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash. – Roger Lipscombe Nov 29 '17 at 17:42
  • @RogerLipscombe, ah, that makes sense, I looked at this from the wrong angle. – ilkkachu Nov 29 '17 at 17:45
  • As for su accepting the users' own password... that's possible in principle: shadow-utils contains code for access control within su, through /etc/suauth, but it's disabled if PAM is used (which it is on Debian). I suppose something similar could be done with PAM. – ilkkachu Nov 29 '17 at 18:07

3 Answers3

7

Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.

Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.

  • 2
    It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list. – Roger Lipscombe Nov 29 '17 at 15:51
  • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now. – Henrik supports the community Nov 30 '17 at 09:49
  • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3). – Stéphane Chazelas Nov 30 '17 at 09:54
  • you need to install whois. sudo apt install whois – cael ras Oct 23 '20 at 11:45
3

In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.

python is one such tool that exposes that function, so you can do:

HASH='$6$...' python2 -c 'import crypt, os, getpass
print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'

And if the output matches the hash, that was the right password.

$HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).

Or you can do the verification in python:

HASH='$6$...' python2 -c '
import crypt, os, getpass
hash = os.environ["HASH"]
if crypt.crypt(getpass.getpass(), hash) == hash:
  print "OK"
else:
  print "Wrong password"'

(then obviously, $HASH has to contain the full hash).

With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:

HASH='$6$...' python2 -c '
from ctypes import *
import os, getpass
l = CDLL("libcrypt.so.1")
l.crypt.restype = c_char_p
print l.crypt(getpass.getpass(), os.environ["HASH"])'
0

ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)