Verify password hash in bash script?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












Related to Why is the root password on Linux Mint my user password?



It appears that my Mint 17.3 box has a root password set: I see a password hash in /etc/shadow (it starts with $6$...). I'd like to compare this password hash with my (known) user password.



For whatever reason, I don't trust su - (in the linked question) to not use my password, vs. the root password.



Is there a simple way (in bash, e.g.) to compare a known hash with a known password and see if they match?







share|improve this question




















  • Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
    – Roger Lipscombe
    Nov 29 '17 at 10:35










  • If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
    – Kusalananda
    Nov 29 '17 at 11:13










  • No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
    – Roger Lipscombe
    Nov 29 '17 at 11:18










  • For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
    – Roger Lipscombe
    Nov 29 '17 at 11:19










  • No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
    – Roger Lipscombe
    Nov 29 '17 at 17:42














up vote
0
down vote

favorite
1












Related to Why is the root password on Linux Mint my user password?



It appears that my Mint 17.3 box has a root password set: I see a password hash in /etc/shadow (it starts with $6$...). I'd like to compare this password hash with my (known) user password.



For whatever reason, I don't trust su - (in the linked question) to not use my password, vs. the root password.



Is there a simple way (in bash, e.g.) to compare a known hash with a known password and see if they match?







share|improve this question




















  • Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
    – Roger Lipscombe
    Nov 29 '17 at 10:35










  • If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
    – Kusalananda
    Nov 29 '17 at 11:13










  • No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
    – Roger Lipscombe
    Nov 29 '17 at 11:18










  • For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
    – Roger Lipscombe
    Nov 29 '17 at 11:19










  • No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
    – Roger Lipscombe
    Nov 29 '17 at 17:42












up vote
0
down vote

favorite
1









up vote
0
down vote

favorite
1






1





Related to Why is the root password on Linux Mint my user password?



It appears that my Mint 17.3 box has a root password set: I see a password hash in /etc/shadow (it starts with $6$...). I'd like to compare this password hash with my (known) user password.



For whatever reason, I don't trust su - (in the linked question) to not use my password, vs. the root password.



Is there a simple way (in bash, e.g.) to compare a known hash with a known password and see if they match?







share|improve this question












Related to Why is the root password on Linux Mint my user password?



It appears that my Mint 17.3 box has a root password set: I see a password hash in /etc/shadow (it starts with $6$...). I'd like to compare this password hash with my (known) user password.



For whatever reason, I don't trust su - (in the linked question) to not use my password, vs. the root password.



Is there a simple way (in bash, e.g.) to compare a known hash with a known password and see if they match?









share|improve this question











share|improve this question




share|improve this question










asked Nov 29 '17 at 10:23









Roger Lipscombe

714620




714620











  • Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
    – Roger Lipscombe
    Nov 29 '17 at 10:35










  • If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
    – Kusalananda
    Nov 29 '17 at 11:13










  • No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
    – Roger Lipscombe
    Nov 29 '17 at 11:18










  • For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
    – Roger Lipscombe
    Nov 29 '17 at 11:19










  • No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
    – Roger Lipscombe
    Nov 29 '17 at 17:42
















  • Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
    – Roger Lipscombe
    Nov 29 '17 at 10:35










  • If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
    – Kusalananda
    Nov 29 '17 at 11:13










  • No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
    – Roger Lipscombe
    Nov 29 '17 at 11:18










  • For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
    – Roger Lipscombe
    Nov 29 '17 at 11:19










  • No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
    – Roger Lipscombe
    Nov 29 '17 at 17:42















Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
– Roger Lipscombe
Nov 29 '17 at 10:35




Once I'd figured out that $6$ means it's a SHA-512 hash, I found the answer here: unix.stackexchange.com/q/52108/46851
– Roger Lipscombe
Nov 29 '17 at 10:35












If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
– Kusalananda
Nov 29 '17 at 11:13




If you don't trust su to use the root password (which it should), then I must assume your machine is compromised in some way. Is that correct?
– Kusalananda
Nov 29 '17 at 11:13












No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
– Roger Lipscombe
Nov 29 '17 at 11:18




No. I'm not worried about compromise. I don't trust myself to not get confused between su and sudo. By taking them out of the equation, I can verify only the hash in /etc/shadow, without anything else in the way.
– Roger Lipscombe
Nov 29 '17 at 11:18












For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
– Roger Lipscombe
Nov 29 '17 at 11:19




For example: it's possible that there's a configuration setting that causes su to allow me to use my user password in the same way as sudo does. Is there? Probably not. But I don't know for sure.
– Roger Lipscombe
Nov 29 '17 at 11:19












No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
– Roger Lipscombe
Nov 29 '17 at 17:42




No. I'm not planning on reimplementing su; that would be stupid. After the "Apple re-enables your root account without a password" thing today, I went looking to see if I had a root password. To my surprise, I did. I found the other question ("Why is the root password on Linux Mint...?"). I was looking for a good way to simply (i.e. no su, no sudo, no ssh) see what password the root account had. So: verify the hash.
– Roger Lipscombe
Nov 29 '17 at 17:42










3 Answers
3






active

oldest

votes

















up vote
2
down vote



accepted










Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.



Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.






share|improve this answer


















  • 2




    It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
    – Roger Lipscombe
    Nov 29 '17 at 15:51










  • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
    – Henrik
    Nov 30 '17 at 9:49










  • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
    – Stéphane Chazelas
    Nov 30 '17 at 9:54


















up vote
2
down vote













In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.



python is one such tool that exposes that function, so you can do:



HASH='$6$...' python2 -c 'import crypt, os, getpass
print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'


And if the output matches the hash, that was the right password.



$HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).



Or you can do the verification in python:



HASH='$6$...' python2 -c '
import crypt, os, getpass
hash = os.environ["HASH"]
if crypt.crypt(getpass.getpass(), hash) == hash:
print "OK"
else:
print "Wrong password"'


(then obviously, $HASH has to contain the full hash).



With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:



HASH='$6$...' python2 -c '
from ctypes import *
import os, getpass
l = CDLL("libcrypt.so.1")
l.crypt.restype = c_char_p
print l.crypt(getpass.getpass(), os.environ["HASH"])'





share|improve this answer





























    up vote
    0
    down vote













    ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)






    share|improve this answer




















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f407700%2fverify-password-hash-in-bash-script%23new-answer', 'question_page');

      );

      Post as a guest






























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      2
      down vote



      accepted










      Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.



      Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.






      share|improve this answer


















      • 2




        It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
        – Roger Lipscombe
        Nov 29 '17 at 15:51










      • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
        – Henrik
        Nov 30 '17 at 9:49










      • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
        – Stéphane Chazelas
        Nov 30 '17 at 9:54















      up vote
      2
      down vote



      accepted










      Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.



      Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.






      share|improve this answer


















      • 2




        It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
        – Roger Lipscombe
        Nov 29 '17 at 15:51










      • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
        – Henrik
        Nov 30 '17 at 9:49










      • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
        – Stéphane Chazelas
        Nov 30 '17 at 9:54













      up vote
      2
      down vote



      accepted







      up vote
      2
      down vote



      accepted






      Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.



      Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.






      share|improve this answer














      Find the salt used in /etc/shadow, it's the characters between the second and third $, usually there will be eight.



      Use mkpasswd -m sha-512 -S <salt>, and enter the password you think it's suposed to be when it asks. It will output the hash with $6$<salt>$ prefixed.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Nov 30 '17 at 8:25

























      answered Nov 29 '17 at 12:27









      Henrik

      3,1791418




      3,1791418







      • 2




        It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
        – Roger Lipscombe
        Nov 29 '17 at 15:51










      • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
        – Henrik
        Nov 30 '17 at 9:49










      • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
        – Stéphane Chazelas
        Nov 30 '17 at 9:54













      • 2




        It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
        – Roger Lipscombe
        Nov 29 '17 at 15:51










      • That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
        – Henrik
        Nov 30 '17 at 9:49










      • I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
        – Stéphane Chazelas
        Nov 30 '17 at 9:54








      2




      2




      It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
      – Roger Lipscombe
      Nov 29 '17 at 15:51




      It's -m sha-512 (with the hyphen) on Mint 17.3; use mkpasswd -m help for the list.
      – Roger Lipscombe
      Nov 29 '17 at 15:51












      That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
      – Henrik
      Nov 30 '17 at 9:49




      That hyphen is also in the method name on my debian, and probably in general, so it was a typo, that I've fixed now.
      – Henrik
      Nov 30 '17 at 9:49












      I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
      – Stéphane Chazelas
      Nov 30 '17 at 9:54





      I'll have to agree with the man page statement that claims it's overfeatured. It's a shame one can't just pass the salt in its already encoded form (like $6$round=x$salt$ here) directly instead of having to pass the algorithm, salt and round as separate options for mkpasswd to reconstruct the $6$round=x$salt$ salt passed to crypt(3).
      – Stéphane Chazelas
      Nov 30 '17 at 9:54













      up vote
      2
      down vote













      In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.



      python is one such tool that exposes that function, so you can do:



      HASH='$6$...' python2 -c 'import crypt, os, getpass
      print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'


      And if the output matches the hash, that was the right password.



      $HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).



      Or you can do the verification in python:



      HASH='$6$...' python2 -c '
      import crypt, os, getpass
      hash = os.environ["HASH"]
      if crypt.crypt(getpass.getpass(), hash) == hash:
      print "OK"
      else:
      print "Wrong password"'


      (then obviously, $HASH has to contain the full hash).



      With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:



      HASH='$6$...' python2 -c '
      from ctypes import *
      import os, getpass
      l = CDLL("libcrypt.so.1")
      l.crypt.restype = c_char_p
      print l.crypt(getpass.getpass(), os.environ["HASH"])'





      share|improve this answer


























        up vote
        2
        down vote













        In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.



        python is one such tool that exposes that function, so you can do:



        HASH='$6$...' python2 -c 'import crypt, os, getpass
        print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'


        And if the output matches the hash, that was the right password.



        $HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).



        Or you can do the verification in python:



        HASH='$6$...' python2 -c '
        import crypt, os, getpass
        hash = os.environ["HASH"]
        if crypt.crypt(getpass.getpass(), hash) == hash:
        print "OK"
        else:
        print "Wrong password"'


        (then obviously, $HASH has to contain the full hash).



        With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:



        HASH='$6$...' python2 -c '
        from ctypes import *
        import os, getpass
        l = CDLL("libcrypt.so.1")
        l.crypt.restype = c_char_p
        print l.crypt(getpass.getpass(), os.environ["HASH"])'





        share|improve this answer
























          up vote
          2
          down vote










          up vote
          2
          down vote









          In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.



          python is one such tool that exposes that function, so you can do:



          HASH='$6$...' python2 -c 'import crypt, os, getpass
          print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'


          And if the output matches the hash, that was the right password.



          $HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).



          Or you can do the verification in python:



          HASH='$6$...' python2 -c '
          import crypt, os, getpass
          hash = os.environ["HASH"]
          if crypt.crypt(getpass.getpass(), hash) == hash:
          print "OK"
          else:
          print "Wrong password"'


          (then obviously, $HASH has to contain the full hash).



          With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:



          HASH='$6$...' python2 -c '
          from ctypes import *
          import os, getpass
          l = CDLL("libcrypt.so.1")
          l.crypt.restype = c_char_p
          print l.crypt(getpass.getpass(), os.environ["HASH"])'





          share|improve this answer














          In the end, you need to call the crypt(3) function from the libcrypt (which on GNU systems like Linux Mint comes with the GNU libc) with the password as first argument and the hash ($6$...) as second argument.



          python is one such tool that exposes that function, so you can do:



          HASH='$6$...' python2 -c 'import crypt, os, getpass
          print(crypt.crypt(getpass.getpass(), os.environ["HASH"]))'


          And if the output matches the hash, that was the right password.



          $HASH above can be either the full hash (like $6$rounds=1234$somesalt$6eFBNhSgwEwdfZBHueBedpcqaVKGcV2DJy/tQMFd3JL88hwvgTkISJShnOUrbtP1fRs8I9rGIdsgWCoiujxD2/) or just the part of it up to the rightmost $, that is including the salt and optional round count ($6$rounds=1234$somesalt$).



          Or you can do the verification in python:



          HASH='$6$...' python2 -c '
          import crypt, os, getpass
          hash = os.environ["HASH"]
          if crypt.crypt(getpass.getpass(), hash) == hash:
          print "OK"
          else:
          print "Wrong password"'


          (then obviously, $HASH has to contain the full hash).



          With python, you can also call functions from arbitrary libraries using the ctypes module. So another way to call the system's crypt() function (not that you'd need to as crypt is one of the standard modules, it's just that I was earlier under the impression that the crypt module came with its own separate crypt() implementation) is with something like:



          HASH='$6$...' python2 -c '
          from ctypes import *
          import os, getpass
          l = CDLL("libcrypt.so.1")
          l.crypt.restype = c_char_p
          print l.crypt(getpass.getpass(), os.environ["HASH"])'






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 30 '17 at 10:23

























          answered Nov 29 '17 at 14:52









          Stéphane Chazelas

          282k53520854




          282k53520854




















              up vote
              0
              down vote













              ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)






              share|improve this answer
























                up vote
                0
                down vote













                ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)






                share|improve this answer






















                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)






                  share|improve this answer












                  ssh root@localhost comes to mind, though your distribution may have disabled password-based login for root entirely and/or installed a keypair; or logging in on your usual graphical login screen as user root. (Even if you have automatic login enabled, the shutdown dialog may offer to login as another user.)







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 29 '17 at 10:28









                  Ulrich Schwarz

                  8,95012643




                  8,95012643



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f407700%2fverify-password-hash-in-bash-script%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?