Software security

Download 2,1 Mb.

Sana	17.04.2022
Hajmi	2,1 Mb.
	#559234

Bog'liq
Authenticate Users with BASH Script

$ sudo awk -F: /^$USER/{ print $2 } /etc/shadow
Starting the Script
What is the SALT

Done by:Shoxrux Usmonov
checked by:Iskandar olimov

Software security
1-assignment

Authenticate Users with BASH Script and AWK

We know that on Linux systems the user’s password is stored in the /etc/shadow file usually. At least for local accounts, we can always query the shadow database and lookup users in a directory backend like AD or openLDAP. We will start the process to authenticate users with bash script and AWK by checking the shadow database with the getent command

getent is a Linux command that helps the user to get the entries in a number of important text files called databases. This includes the passwd and the group of databases which stores the user information. Hence getent is a common way to look up in user details on Linux. Since getent uses the same name of service as the system, getent will be going to show all information, including that gained from the network information sources such as LDAP. The databases it usually searches in are: ahosts, ahostsv4, ahostsv6, aliases, ethers (Ethernet addresses), group, gshadow, hosts, netgroup, networks, passwd, protocols, rpc, services, and shadow. To extract just the second field we can start to look at the use of AWK. When authenticating users, AWK starts simple and becomes just a little more complex. So we can work through some examples. When using a static user name the process is simple.

his all looks very easy so far but we would not normally want to hard code the name of the user to authenticate, it will be passed by a variable and it is here where the problems start. For the moment I will use the $USER variable as I am logged in as the user shoxrux.

$ sudo awk -F: '/^$USER/{ print $2 }' /etc/shadow
Using the -v option to AWK we can set an AWK variable that does not the $ syntax, we can set this for our regular expression where we need to look starting with the user name to authenticate, eventually in our bash script. The tilde ~ is the match operator and we now search the complete line, $0, for our pattern.

Starting the Script
To start the script we need to develop we can add the code so far to a bash script, but prompting for the user with the read command.

Split Elements of the Password Field
The password field from the shadow database is broken into three further fields. The algorithm used, the SALT and the password hash. The $ is used to delimit the fields, but it starts with a $ so the first filed will always be empty. This is more convenient for us as the first field is index 0, so the first field we want is index 1. To split the password field into the three elements we read it into an array

What is the SALT
The SALT is text that is added to the password to help create unique password hashes. If the SALT is random, even if users have the same password the hash produced will be different as the hash is a combination of the Password and SALT encrypted via the hashing algorithm. In our case this is 6 or SHA512. If the same SALT is used then the hash will be the same if the password is the same. This is how users are authenticated. The password hash cannot be decrypted meaning that not even root can read your password. The resulting password hash created by combing the user input with the original SALT is compared with the original hash. If they match the user is authenticated.

References
https://www.geeksforgeeks.org/getent-command-in-linux-with-examples/
https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Download 2,1 Mb.

Do'stlaringiz bilan baham: