add user account with pass from script

juanctes · 02-02-2008, 06:37 AM

Hi, I have been looking for this and couldn't find an answer so I think this might help someone in the future.
here it is:
# cat /usr/local/bin/adduser.sh

Code:

#!/bin/bash
if [ $# -ne 4 ] ; then
    echo "USAGE: useradd <homeDir> <userName> <groupName> <literalPassword>"
    exit -1
fi
useradd -m -d $1 -g $3 -p `/usr/local/bin/crypt.php $4` $2

AND

# cat /usr/local/bin/crypt.php

PHP Code:



#!/usr/bin/php
<?php
$pass=$argv[1];
echo crypt($pass);
?>

then you can login with this new user account and literlpassword
the crypt() php's function returns the same encrypted pass as passwd command.
you can automate this by modifying it or caling from an other script's loop.

Hope it'll be usefull for someone.
pd: I have seen many posts that tell you to use an option of passwd that mine does not

have 'echo "password" | passwd --stdin "password"'
that is: --stdin

carltm · 02-03-2008, 09:10 AM

Very cool. Thanks for posting this.

b0uncer · 02-03-2008, 10:13 AM

Very cool - thanks for trashing any security left.

Note that when the user runs that script, the plaintext password is stored at least in his shell's history file if it's used. It's also in plaintext on the screen, and if somebody is monitoring the user commands, it's visible there. So anyway after that the user would need to run passwd and change the password, which is all the same if he just ran useradd (the real useradd) and passwd after that..

If there were no reasons to use passwd, there would be a ready script/program that allowed you do things this way. It's just not sane to type your password in plaintext as a command parameter. When you use passwd and it asks for your password, it doesn't get recorded to shell history, and nothing is printed on screen, so even if somebody was watching your screen, the password would not get revealed -- unless your keyboard was tracked, in which case you're in serious trouble.

So do NOT use the above method in any case - if you want it easy rather than secure, go do Windows.

The way to go (as root - nobody else should be able to add users to the system, so use sudo if you have it):

Code:

useradd -g group -G group -d homedir -s shell username

-g is for initial group, and -G for supplementary groups. Ok, useradd does allow you to use -p passwd, but it expects an encrypted password rather than plaintext, and this is a lot easier to do with passwd anyway, so you'll not be using this. You should tell which shell to use, because if you don't, it might lead to trouble - in some situations if shell is not set, nothing is done. In the simplest case a launched terminal won't give a command line because it doesn't know which shell it should use. An example:

Code:

useradd -d /home/juanctes -s /bin/bash juanctes
passwd juanctes

Easy as that, and though nothing is perfectly secure, this is a lot better than running a simple shell script which doesn't test what values you put in, and doesn't mind you giving it your password in plaintext. Such a shellscript is not only insecure for the user, but can also be misused pretty harshly.

The admin (root) of the system must know the basics like how useradd and passwd works, or otherwise I wouldn't like to be using the system. And if the admin does know these things, a script like the one posted above is out of the question; nobody else than root should be able to add users, for the minimum security, and therefore useradd can well be used. If there is a need to automate the process, a script can be written that does use useradd and passwd - or calculate encrypted passwords and feed them in, but if that's done, it should be done so that you don't accidentally show all the password stuff to the rest of the world.

Think before you do.

juanctes · 02-03-2008, 01:50 PM

I know that every issued command is recorded in .bash_history.. And I know that this isn't a secure way to create accounts. But i needed this functionality and couldn't find it..
For academic reasons I need a java EE program to create an account in the system every time the "Admin" of the program creates a user , so that this user can receive eMail and the system should show the inbox by login in to the imapd with this user account.
this is not intended to be "secure". I apologize if someone thought that this could be used in production environment.
Thanks for the security lesson

I have a question now...
If someone can access your .bash_history then you are already peaced-off don't you?
and, how would you manage if you HAVE to do it automatically and pass a given password already encrypted to the -p option?
*********
it would be nice:
a java method that outputs the same as php`s crypt function. But don't know if it exist.
in that case no plain text password would be revealed
Found something, don't know if it will work.
JCrypt is the solution.
JCrypt.txt
and more variants:
http://www.dynamic.net.au/christos/crypt/
yep now i can say it works! (JCrypt) i gave the output of system.out.println(JCrypt("","QWE")); as the parameter for the -p option to a new user that I added using "adduser" and then i could log in to this account with "QWE" as pass