In the end, you need to call the crypt(3)
function from the libcrypt
(which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...
) as second argument.
python
is one such tool that exposes that function, so you can do:
HASH='$6$...' python2 -c 'import crypt, os, getpass
print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'
And if the output matches the hash, that was the right password.
$HASH
above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/
) or just the part of it up to the rightmost $
, that is including the salt and optional round count ($6$rounds=1234$somesalt$
).
Or you can do the verification in python
:
HASH='$6$...' python2 -c '
import crypt, os, getpass
hash = os.environ["HASH"]
if crypt.crypt(getpass.getpass(), hash) == hash:
print "OK"
else:
print "Wrong password"'
(then obviously, $HASH
has to contain the full hash).
With python
, you can also call functions from arbitrary libraries using the ctypes
module. So another way to call the system's crypt()
function (not that you'd need to as crypt
is one of the standard modules, it's just that I was earlier under the impression that the crypt
module came with its own separate crypt()
implementation) is with something like:
HASH='$6$...' python2 -c '
from ctypes import *
import os, getpass
l = CDLL("libcrypt.so.1")
l.crypt.restype = c_char_p
print l.crypt(getpass.getpass(), os.environ["HASH"])'
$6$
means it's a SHA-512 hash, I found the answer here: https://unix.stackexchange.com/q/52108/46851 – Roger Lipscombe Nov 29 '17 at 10:35su
to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct? – Kusalananda Nov 29 '17 at 11:13su
andsudo
. By taking them out of the equation, I can verify only the hash in/etc/shadow
, without anything else in the way. – Roger Lipscombe Nov 29 '17 at 11:18su
to allow me to use my user password in the same way assudo
does. Is there? Probably not. But I don't know for sure. – Roger Lipscombe Nov 29 '17 at 11:19su
; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. nosu
, nosudo
, nossh
) see what password the root account had. So: verify the hash. – Roger Lipscombe Nov 29 '17 at 17:42su
accepting the users' own password... that's possible in principle: shadow-utils contains code for access control withinsu
, through/etc/suauth
, but it's disabled if PAM is used (which it is on Debian). I suppose something similar could be done with PAM. – ilkkachu Nov 29 '17 at 18:07