So my question is straight forward given a linux username and a password how can I test if it is a valid account?
Asked
Active
Viewed 8.6k times
2 Answers
87
You can validate that a given password is correct for a given username using the shadow file.
On most modern distributions, the hashed passwords are stored in the shadow file /etc/shadow (which is only readable by root). As root, pull the line from the shadow file for the given user like so:
cat /etc/shadow | grep username
You will see something like this:
username:$1$TrOIigLp$PUHL00kS5UY3CMVaiC0/g0:15020:0:99999:7:::
After the username there is $1. This indicates that it is an MD5 hash. After that there is another $, then (in this case) TrOIigLp followed by another $. TrOIigLp is the salt. After that is the hashed password, which was hashed using the salt - in this case PUHL00kS5UY3CMVaiC0/g0.
Now, you can use openssl to hash the given password using the same salt, like so:
openssl passwd -1 -salt TrOIigLp
Enter the given password when prompted, the openssl command should compute the MD5 hash using the salt provided, and it should be exactly the same as the above from the shadow file. The -1 in the above command is for MD5 hashing.
mti2935
- 11,465
- 3
- 29
- 33
-
Thanks for the info. I was unaware of the parts of shadow file second field. Now I can even use the crypt() function...great answer. – smit Aug 03 '13 at 17:34
-
@mti2935 do you mean `cat /etc/shadow | grep username` or even `grep username /etc/shadow`? – Russell Silva Feb 13 '14 at 16:48
-
Russell, thanks for the correction. Yes, it should have been `cat`, not `echo`. I've edited the answer. – mti2935 Feb 13 '14 at 16:50
-
9
-
4Hi, the `-1` in `openssl passwd -1 -salt TrOIigLp` stands for MD5 hashing, if I have, instead, SHA-512 hashing is it possible to check the hashing with `openssl`? Have I to use another command instead? – xnr_z Jul 08 '15 at 08:37
-
2See http://unix.stackexchange.com/questions/52108/how-to-create-sha512-password-hashes-on-command-line – mti2935 Jul 08 '15 at 10:02
-
The above link provided by mti2935 does not indicate how to include a salt. Another link with method to obtain the hash for a SHA-512 password _with salt_ is here: https://unix.stackexchange.com/a/210146/81811 – Dan Nissenbaum Nov 04 '17 at 22:52
-
16
-
8@BrunoBronosky `$6$` indicates a sha512 hash. See this [answer](https://unix.stackexchange.com/a/158402/10822) for how to generate/check the hash. – Dario Seidl Jul 10 '18 at 11:32
-
1
-
-
@gst That probably indicates that no password was ever set for the root user. I believe Ubuntu does this by default. In that case, the only way to become root is to log on as an ordinary user, and then use sudo. If the ordinary user isn't in the sudoers file, you can't become root (of course, you could still use rescue mode). Caveat: man shadow says that an empty password field means that you can log on without a password, unless the application decides otherwise. So this is not a secure way to prevent logins. – Kevin Keane Apr 01 '22 at 16:29
-
3
If you are concerned about security (which you should be), the accepted answer represents a security risk by leaving the plaintext password in the ~/.bash_history file. With this in mind, it would be better to try logging in, or perhaps removing this entry from the ~/.bash_history.
-
5The accepted answer does not leave a plaintext password in the `~/.bash_history`. However, attempting to login does seem the better way, since you may not have `sudo` access in order to read `/etc/shadow`. – CivFan Jun 05 '19 at 22:52