Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tech:script_automatisation_entrees_clavier_automated_input_macro [2025/03/24 15:06] – créée - modification externe 127.0.0.1
+++ tech:script_automatisation_entrees_clavier_automated_input_macro [2025/06/05 15:08] (Version actuelle) – Jean-Baptiste
@@ Ligne 18: / Ligne 18: @@
 interact
 </code>
+Ou dans un script bash
+Exemple
+<code bash>
+#!/bin/bash
+# Get password from PAM
+read password
+# A few files we use to save and validate the results
+SHADFILE=/root/newshadow
+LOGFILE=/root/convpass.log
+# Let's see if the user has been converted already
+# The username is provided as an environment variable.
+CHECK=$(grep ^$PAM_USER $SHADFILE)
+if [ "x$CHECK" == "x" ]; then
+    # The user has not been migrated already
+    #
+    # First, we need to validate that the provided password
+    # is the correct one.
+    # Since this script is run for ALL password-attempts, and
+    # before the user is actually logged in, any brute force attack,
+    # or wrong password entered by the user will also be sent to the
+    # script.  So we can't just blindly accept whatever password
+    # is provided here.  We try do a "su" to the provided user
+    # with the provided password, using "expect", if the su succeds
+    # the password is correct.  But since su will succeed without a
+    # password for root, we need to sudo the su command as an
+    # unprivileged user - in this case the user "nobody"
+    #
+    # since we use expect inside a bash-script,
+    # we have to escape tcl-$.
+    expect << EOF
+    spawn sudo -u nobody su "$PAM_USER" -c "exit"
+    expect "Password:"
+    send "$password\r"
+    set wait_result  [wait]
+    # check if it is an OS error or a return code from our command
+    #   index 2 should be -1 for OS erro, 0 for command return code
+    if {[lindex \$wait_result 2] == 0} {
+        exit [lindex \$wait_result 3]
+    }
+    else {
+        exit 1
+    }
+EOF
+    # So if the expect-script returns 0, the su succeeded
+    # and we can continue
+    if [ $? == 0 ]; then
+        echo "Password for user $PAM_USER is correct" >> $LOGFILE
+        # Generate a new sha512 hash of the provided password:
+        S512=$(echo "$password" | openssl passwd -6 -stdin)
+        # Here, I simply generate a new shadow-file to replace the
+        # old one later.
+        # But if you need to push this to LDAP, you can of course
+        # easily generate an ldif or whatever.
+        echo "$PAM_USER:$S512:18000:0:99999:7:::" >> $SHADFILE
+        exit 0
+    fi
+    echo "Password for user $PAM_USER is incorrect" >> $LOGFILE
+fi
+# We return a non 0 exit status just in case,
+# but see the note for pam_exec below
+exit 1
+</code>
+Source : https://olathoresen.medium.com/linux-users-password-migration-b6bc4fab267d