I got a linux server that has several dozen users. I also have the cleartext password for every user (i know - bad security).
I would like to know if the passwords are correct. Since the users are all ftp users and have the nologin shell, I cannot just write a script to check if login works.
How can I do a local check on passwords? Script output could look like this:
$ check_userpw < user_pw_list.txt
user1 ok
user2 ok
user3 mismatch!
user4 ok
Thanks
You could write a script to automate an FTP login on each one using Perl's Net::FTP or GNU Expect or whatever you like, but probably the dead simplest way would be to piggyback on the
check_ftpprogram in Nagios-Plugins. It will return non-zero if the login fails.If your users are authenticated against local passwords stored in /etc/shadow, you can generate the hashes and compare them yourself.
For MD5 hashes, the field looks like this:
$1$5q9TrKNO$YeVQrfsitsGlapGwhAjIl.
(The ending period is included. This is a hash for the string 'abc'.)
The $ are separators. The 1 in the first field identifies the hash as MD5, and the 5q9TrKNO is a salt randomly generated when the password was set to make dictionary attacks more difficult.
You can use this perl module to test the hash of your saved password: use the salt from /etc/shadow and the password you have, then check that the result matches the last section.