Linux users password migration

#!/bin/bash# Get password from PAM
read password
# A few files we use to save and validate the results
SHADFILE=/root/newshadow
LOGFILE=/root/convpass.log
# Let's see if the user has been converted already
# The username is provided as an environment variable.
CHECK=$(grep ^$PAM_USER $SHADFILE)
if [ "x$CHECK" == "x" ]; then
# The user has not been migrated already
#
# First, we need to validate that the provided password
# is the correct one.
# Since this script is run for ALL password-attempts, and
# before the user is actually logged in, any brute force attack,
# or wrong password entered by the user will also be sent to the
# script. So we can't just blindly accept whatever password
# is provided here. We try do a "su" to the provided user
# with the provided password, using "expect", if the su succeds
# the password is correct. But since su will succeed without a
# password for root, we need to sudo the su command as an
# unprivileged user - in this case the user "nobody"
#
# since we use expect inside a bash-script,
# we have to escape tcl-$.
expect << EOF
spawn sudo -u nobody su "$PAM_USER" -c "exit"
expect "Password:"
send "$password\r"
set wait_result [wait] # check if it is an OS error or a return code from our command
# index 2 should be -1 for OS erro, 0 for command return code
if {[lindex \$wait_result 2] == 0} {
exit [lindex \$wait_result 3]
}
else {
exit 1
}
EOF
# So if the expect-script returns 0, the su succeeded
# and we can continue
if [ $? == 0 ]; then
echo "Password for user $PAM_USER is correct" >> $LOGFILE
# Generate a new sha512 hash of the provided password:
S512=$(echo "$password" | openssl passwd -6 -stdin)
# Here, I simply generate a new shadow-file to replace the
# old one later.
# But if you need to push this to LDAP, you can of course
# easily generate an ldif or whatever.
echo "$PAM_USER:$S512:18000:0:99999:7:::" >> $SHADFILE
exit 0
fi
echo "Password for user $PAM_USER is incorrect" >> $LOGFILE
fi# We return a non 0 exit status just in case,
# but see the note for pam_exec below
exit 1
auth        optional      pam_exec.so debug log=/root/convpass.log expose_authtok /root/bin/conv_passwd.sh
auth        sufficient    pam_unix.so nullok try_first_pass
#!/bin/bash
#
# check_password_1.sh $USERNAME $PASSWORD
# this script doesn't work if it is run as root, since then we don't have to specify a pw for 'su'
if [ $(id -u) -eq 0 ]; then
echo "This script can't be run as root." 1>&2
exit 1
fi
if [ ! $# -eq 2 ]; then
echo "Wrong Number of Arguments (expected 2, got $#)" 1>&2
exit 1
fi
USERNAME=$1
PASSWORD=$2
# since we use expect inside a bash-script, we have to escape tcl-$.
expect << EOF
spawn su $USERNAME -c "exit"
expect "Password:"
send "$PASSWORD\r"
#expect eof
set wait_result [wait]# check if it is an OS error or a return code from our command
# index 2 should be -1 for OS erro, 0 for command return code
if {[lindex \$wait_result 2] == 0} {
exit [lindex \$wait_result 3]
}
else {
exit 1
}
EOF
if [ $? == "0" ]; then
echo "Password is correct"
exit 0
fi
echo "Password is not correct"
exit 1
#!/bin/bash
#
# check_password_2.sh $USERNAME $PASSWORD
if [ ! $# -eq 2 ]; then
echo "Wrong Number of Arguments (expected 2, got $#)" 1>&2
exit 1
fi
USERNAME=$1
PASSWORD=$2
correct=$(</etc/shadow awk -v user=$USERNAME -F : 'user == $1 {print $2}')
prefix=${correct%"${correct#\$*\$*\$}"}
echo $correct
echo $prefix
supplied=$(echo "$PASSWORD" |
perl -e '$_ = <STDIN>; chomp; print crypt($_, $ARGV[0])' "$prefix")
if [ "$supplied" = "$correct" ]; then
echo "Password is correct"
exit 0
fi
echo "Password is not correct"
exit 1

--

--

--

Noe over gjennomsnittlig interessert. Kjentmann i IP- og nettverksjungelen, og jobber i nLogic AS.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Word Puzzles Hack Free Resources Generator

An Important Note to Our Smartdrop Participants Regarding KYC

Important Update on Public Sales and Uniswap Listing

5 Tips To Stay Safe This Cyber Security Month

Threat Detection: What it is and How to Do it Effectively

{UPDATE} WonderWorlds Hack Free Resources Generator

9 best practices for AWS Security Hub you should know

Best practices in security and compliance on a base of AWS Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ola Thoresen

Ola Thoresen

Noe over gjennomsnittlig interessert. Kjentmann i IP- og nettverksjungelen, og jobber i nLogic AS.

More from Medium

Server Administration :Linux Upskill Challenge

WPA/WPA2 Wi-Fi bruteforce attack using [aircrack-ng]

Install Arch Linux on Kvm

Reduce Huge Title Bar on Ubuntu 20.04