5

I want to check in a shell script if a local unix-user's passed username and password are correct. What is the easiest way to do this?

Only thing that I found while googling was using 'expect' and 'su' and then checking somehow if the 'su' was successful or not.

Improve this question
1
  • More details on what you're trying to accomplish and what your script is doing might help. Commented Sep 22, 2009 at 12:27

4 Answers 4

Reset to default
8

the username and passwords are written in the /etc/shadow file. just get the user and the password hash from there (sed would help), hash your own password and check.

use mkpasswd to generate the hash. you hve to look which salt your version is using. the newest shadow is using sha-512 so :

mkpasswd -m sha-512 password salt

manpages can help you there a lot.

Easier would be to use php and the pam-aut module. there you can check vie php on group access pwd user.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

more details about the implementation of this approach: ubuntuforums.org/archive/index.php/t-1232715.html
oh ok, nice. I spend 6 hours figuring this approach out by myself a few month ago. this site would have helped a lot. but i needed this for web authentification, so i finally used the auth-pam module of php
nowhere. it was how I finally solved an similar problem. cluelessCoder has never said what he wants to do. it you want an simple shell solution you have to prse the shadow file. for web authentification this module is easy. Well you can also create a php file and coll this one from batch and parse the output (a bit overkill but easy to accomplish too. you only need to have a php server running on the local machine). Just several ways to accomplish a goal.
This doesn't work when you don't have access to /etc/shadow
5

Ok, now this is the script that I used to solve my problem. I first tried to write a small c-programm as susgested by Aaron Digulla, but that proved much too difficult.

Perhaps this Script is useful to someone else.

#!/bin/bash
#
# login.sh $USERNAME $PASSWORD

#this script doesn't work if it is run as root, since then we don't have to specify a pw for 'su'
if [ $(id -u) -eq 0 ]; then
        echo "This script can't be run as root." 1>&2
        exit 1
fi

if [ ! $# -eq 2 ]; then
        echo "Wrong Number of Arguments (expected 2, got $#)" 1>&2
        exit 1
fi

USERNAME=$1
PASSWORD=$2

# Setting the language to English for the expected "Password:" string, see http://askubuntu.com/a/264709/18014
export LC_ALL=C

#since we use expect inside a bash-script, we have to escape tcl-$.
expect << EOF
spawn su $USERNAME -c "exit" 
expect "Password:"
send "$PASSWORD\r"
#expect eof

set wait_result  [wait]

# check if it is an OS error or a return code from our command
#   index 2 should be -1 for OS erro, 0 for command return code
if {[lindex \$wait_result 2] == 0} {
        exit [lindex \$wait_result 3]
} 
else {
        exit 1 
}
EOF
Improve this answer

1 Comment

Note that export LC_ALL=C at the start of the script would make it work for systems with a different default language, it would set the language to English for this script execution, as it is expecting the string Password:, see askubuntu.com/a/264709/18014.
4

On Linux, you will need to write a small C program which calls pam_authenticate(). If the call returns PAM_SUCCESS, then the login and password are correct.

Improve this answer

Comments

0

Partial answere would be to check user name, is it defined in the passwd/shadow file in /etc then calculate the passwords MD5 with salt. If you have your user password sended over SSL (or at least some server terminal service).

Its just a hint because I dont know what do You need actually. Because "su" is mainly for authentication purposes.

Other topics which You might look at are kerberos/LDAP services, but those are hard topics.

Improve this answer

Comments