Linux users password migration

#!/bin/bash# Get password from PAM
read password
# A few files we use to save and validate the results
SHADFILE=/root/newshadow
LOGFILE=/root/convpass.log
# Let's see if the user has been converted already
# The username is provided as an environment variable.
CHECK=$(grep ^$PAM_USER $SHADFILE)
if [ "x$CHECK" == "x" ]; then
# The user has not been migrated already
#
# First, we need to validate that the provided password
# is the correct one.
# Since this script is run for ALL password-attempts, and
# before the user is actually logged in, any brute force attack,
# or wrong password entered by the user will also be sent to the
# script. So we can't just blindly accept whatever password
# is provided here. We try do a "su" to the provided user
# with the provided password, using "expect", if the su succeds
# the password is correct. But since su will succeed without a
# password for root, we need to sudo the su command as an
# unprivileged user - in this case the user "nobody"
#
# since we use expect inside a bash-script,
# we have to escape tcl-$.
expect << EOF
spawn sudo -u nobody su "$PAM_USER" -c "exit"
expect "Password:"
send "$password\r"
set wait_result [wait] # check if it is an OS error or a return code from our command
# index 2 should be -1 for OS erro, 0 for command return code
if {[lindex \$wait_result 2] == 0} {
exit [lindex \$wait_result 3]
}
else {
exit 1
}
EOF
# So if the expect-script returns 0, the su succeeded
# and we can continue
if [ $? == 0 ]; then
echo "Password for user $PAM_USER is correct" >> $LOGFILE
# Generate a new sha512 hash of the provided password:
S512=$(echo "$password" | openssl passwd -6 -stdin)
# Here, I simply generate a new shadow-file to replace the
# old one later.
# But if you need to push this to LDAP, you can of course
# easily generate an ldif or whatever.
echo "$PAM_USER:$S512:18000:0:99999:7:::" >> $SHADFILE
exit 0
fi
echo "Password for user $PAM_USER is incorrect" >> $LOGFILE
fi# We return a non 0 exit status just in case,
# but see the note for pam_exec below
exit 1
auth        optional      pam_exec.so debug log=/root/convpass.log expose_authtok /root/bin/conv_passwd.sh
auth        sufficient    pam_unix.so nullok try_first_pass
#!/bin/bash
#
# check_password_1.sh $USERNAME $PASSWORD
# this script doesn't work if it is run as root, since then we don't have to specify a pw for 'su'
if [ $(id -u) -eq 0 ]; then
echo "This script can't be run as root." 1>&2
exit 1
fi
if [ ! $# -eq 2 ]; then
echo "Wrong Number of Arguments (expected 2, got $#)" 1>&2
exit 1
fi
USERNAME=$1
PASSWORD=$2
# since we use expect inside a bash-script, we have to escape tcl-$.
expect << EOF
spawn su $USERNAME -c "exit"
expect "Password:"
send "$PASSWORD\r"
#expect eof
set wait_result [wait]# check if it is an OS error or a return code from our command
# index 2 should be -1 for OS erro, 0 for command return code
if {[lindex \$wait_result 2] == 0} {
exit [lindex \$wait_result 3]
}
else {
exit 1
}
EOF
if [ $? == "0" ]; then
echo "Password is correct"
exit 0
fi
echo "Password is not correct"
exit 1
#!/bin/bash
#
# check_password_2.sh $USERNAME $PASSWORD
if [ ! $# -eq 2 ]; then
echo "Wrong Number of Arguments (expected 2, got $#)" 1>&2
exit 1
fi
USERNAME=$1
PASSWORD=$2
correct=$(</etc/shadow awk -v user=$USERNAME -F : 'user == $1 {print $2}')
prefix=${correct%"${correct#\$*\$*\$}"}
echo $correct
echo $prefix
supplied=$(echo "$PASSWORD" |
perl -e '$_ = <STDIN>; chomp; print crypt($_, $ARGV[0])' "$prefix")
if [ "$supplied" = "$correct" ]; then
echo "Password is correct"
exit 0
fi
echo "Password is not correct"
exit 1

--

--

--

Noe over gjennomsnittlig interessert. Kjentmann i IP- og nettverksjungelen, og jobber i nLogic AS.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

FARM Emissions — Week 77

Crypto Wallet Local Storage Attack

Decentralized Exchanges (DEXs) Explained in 60 Seconds

Top 5 Reasons Why You Should Consider a Career in Cybersecurity

Good Morning with a ‘Phish’

The contract address is not correct. are you trying to scam people?

Dear NY FBI, God’s Mail was kidnapped “I have a couple of leads” God’s Mail was kidnapped on…

{UPDATE} Rolling 2k17 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ola Thoresen

Ola Thoresen

Noe over gjennomsnittlig interessert. Kjentmann i IP- og nettverksjungelen, og jobber i nLogic AS.

More from Medium

Basic Commands To Start Your Linux Journey

A simple entry point can lead to Server Compromise

How to not be a script kiddie in 2022

Log4J Vulnerability — Attack & Defense Strategy for Cyber-Security Analysts