Bulk user add script

haariseshu · 12-29-2008, 10:58 PM

Hi Guys,
I'm running postfix mail server. It's using /etc/passwd auth. Everything is working charm and currently I'm in a need to add users in bulk around 2000. It's not possible to add all the users by typing commands. With the users list I have append the useradd command and made a simple script. All the users have added. But now the problem is to set password for those password. I can use the same formula I used to add the users. But in passwd -p option requires the encrypted password. If I can able to set any common password means it's also fine. But user name is different.

Anybody know how to achieve this with script or any easy method?

Thanks a lot in Advance...

--
Hari.

kenneho · 12-30-2008, 04:02 AM

I belive you should be able to use that "passwd" alternative you mentioned. Just create a user X with a password "secret" or something. Copy the encrypted string for user X from /etc/shadow, and use that string as input to the "passwd" or "usermod" command.

Disillusionist · 12-30-2008, 06:27 AM

You need to use something like crypt to create the encrypted password.

Example perl script:

Code:

#!/usr/bin/perl
use strict;

my $SALT="FEWge%r~aNjg3q4$%£";
my $user="testuser1";
my $pass="Testing";
my $encrypted=crypt($pass, $SALT);

system("useradd -p $encrypted -m $user");

Obviously, I am not suggesting that you use such an easy password, or even the same password for each account.

Also you probably should change the salt, but keep in complex.

kenneho · 12-30-2008, 06:45 AM

Quote:

Originally Posted by Disillusionist

You need to use something like crypt to create the encrypted password.

Do you know if there are any (bash) shell commands equivalent to this?

rweaver · 12-30-2008, 08:37 AM

Quote:

Originally Posted by kenneho

Do you know if there are any (bash) shell commands equivalent to this?

Sure, mkpasswd... a script to do what the original poster asked from a csv file would look like this...

new-user.sh

Code:

#!/bin/bash
for i in `cat unpw.csv`; do
  UN=`echo $i | cut -f1 -d','`
  PW=`echo $i | cut -f2 -d','`
  ENCPW=`echo $PW | mkpasswd -s`
  echo useradd -p $ENCPW -m $UN
done

unpw.csv

Code:

user1,password1
user2,password2
user3,password3

You might want to add --hash=md5 or something similar to mkpasswd to get a better encryption scheme than the default.

It currently will echo what it will output to the system when you run it... to do the process for real remove the echo.

Good luck.

archtoad6 · 12-30-2008, 09:31 AM

Also look at newusers to do any future job like this, & apg to generate passwords.

rweaver · 12-30-2008, 03:47 PM

Quote:

Originally Posted by archtoad6

Also look at newusers to do any future job like this, & apg to generate passwords.

I forgot about newusers, been ages since I used it. apg is ok but not a default application on many servers. mkpasswd IS installed by default typically.

p_s_shah · 12-31-2008, 06:54 AM

1. Using Shell script

Code:

echo $PASS | passwd $USER --stdin

2. Using Perl

Code:

#!/usr/bin/perl 
use Unix::PasswdFile;

$pw = new Unix::PasswdFile "/etc/passwd";
$pw->passwd("monk", $pw->encpass("My-New-Password"));
$pw->commit();
undef $pw;

kenneho · 01-02-2009, 02:09 AM

Quote:

Originally Posted by rweaver

Code:

#!/bin/bash
for i in `cat unpw.csv`; do
  UN=`echo $i | cut -f1 -d','`
  PW=`echo $i | cut -f2 -d','`
  ENCPW=`echo $PW | mkpasswd -s`
  echo useradd -p $ENCPW -m $UN
done

I actually have mkpasswd installed on one of my servers, and as far as I can see (I may of course be wrong) it produces only unenctrypted passwords. What I would like is to be able to create encrypted passwords but not having to do this by creating a users first and using the passwd command. Any suggestions?

Disillusionist · 01-02-2009, 04:46 AM

As already suggested by ArchToad6 look at newusers.

Create a file containing the users to be created, in my example this is called userlist:

Code:

user1:Passwd1::1000:Test User 1:/home/user1:/bin/bash
user2:Passwd2::1000:Test User 2:/home/user2:/bin/bash

Then use newusers command (as root):

Code:

newusers userlist

Obviously, choose different passwords

passwords are limited to maximum 8 characters (everything after that is ignored)

As userlist contains unencrypted passwords, you must take steps to protect this file (or delete it once it's been used).

EDIT:-

Incidently, I tried mkpasswd and it works for me:

Code:

 echo Password|mkpasswd -s

gave me:

Quote:

6s/SJs4imX6Yw

Disillusionist · 01-02-2009, 05:36 AM

Alternative bash script:

Code:

#!/bin/bash
awk -F"," '{print $1, $2}' unpw.csv|while read UN PW
do
   ENCPW=$(echo $PW|mkpasswd -s)
   echo useradd -p $ENCPW -m $UN
done

kenneho · 01-02-2009, 05:50 AM

Quote:

Originally Posted by Disillusionist

As already suggested by ArchToad6 look at newusers.

Create a file containing the users to be created, in my example this is called userlist:

Code:

user1:Passwd1::1000:Test User 1:/home/user1:/bin/bash
user2:Passwd2::1000:Test User 2:/home/user2:/bin/bash

Then use newusers command (as root):

Code:

newusers userlist

Obviously, choose different passwords

passwords are limited to maximum 8 characters (everything after that is ignored)

As userlist contains unencrypted passwords, you must take steps to protect this file (or delete it once it's been used).

EDIT:-

Incidently, I tried mkpasswd and it works for me:

Code:

 echo Password|mkpasswd -s

gave me:

Thanks for your reply. I'm not really in need of newusers, as I'm only interested in creating a hashed password and not necessarily a new user.

To me it seems like mkpasswd only creates a random password, not a encrypted password:

Code:

[root@server ]# echo Password|mkpasswd 
7p%awJN9o

An encrypted password, at least for use in the /etc/shadow file, should be prefixed with a "$1$".

An interesting observation is that I don't have an "-s" option available:

Code:

[root@server ]# echo Password|mkpasswd -s 
can't use empty string as operand of "+" 
    while executing 
"if {$minnum + $minlower + $minupper + $minspecial > $length} { 
        puts "impossible to generate $length-character password\ 
                with $minnum numbers, $minl..." 
    (file "/usr/bin/mkpasswd" line 74)

Disillusionist · 01-02-2009, 07:12 AM

Quote:

Originally Posted by kenneho

To me it seems like mkpasswd only creates a random password, not a encrypted password:

Code:

[root@server ]# echo Password|mkpasswd 
7p%awJN9o

mkpasswd uses a random SALT when one is not provided. If you provide a salt then it gets the same results time after time.

Try:

Code:

mkpasswd Password Sm

Quote:

Originally Posted by kenneho

An encrypted password, at least for use in the /etc/shadow file, should be prefixed with a "$1$".

The encrypted password in the /etc/shadow file does not have to begin "$1$", however, the algorithm that the passwd command uses creates an encrypted password starting "$1$". Passwords that do not start "$1$" will still work.

EDIT:- removed my first question as I realise it did not originate from the OP

kenneho · 01-02-2009, 07:23 AM

Quote:

Originally Posted by Disillusionist

I thought your original post stated "Currently I'm in a need to add users in bulk around 2000" ...

What are you intending to use the hashed password for?

I'm not the one who started the thread - I posted my first question in the middle of the thread. It's not easy keeping track of who posted what.

To sum up my question: I'd like to encrypt passwords without having to actually add the clear text password to "passwd".

Anyway, I've come accross cases where I need to create an encrypted password for a user, and to accomplish this I've had to run the clear text password through "passwd <someuser>" to get the hashed password. I've had to use this approach on the few servers we've got that doesn't use LDAP.

Quote:

mkpasswd uses a random SALT when one is not provided. If you provide a salt then it gets the same results time after time.

Try:

Code:

mkpasswd Password Sm

The encrypted password in the /etc/shadow file does not have to begin "$1$", however, the algorithm that the passwd command uses creates an encrypted password starting "$1$". Passwords that do not start "$1$" will still work.

Thanks for the info on passwd and "$1$" - didn't know that omitting "$1$" would work.

Disillusionist · 01-02-2009, 08:01 AM

Quote:

Originally Posted by kenneho

I'm not the one who started the thread

Sorry, I realised my mistake whilst you were composing your reply.

Quote:

To sum up my question: I'd like to encrypt passwords without having to actually add the clear text password to "passwd".

You could use usermod -p $ENCPW $UN so long as you have a valid encrypted password but you're going to need to create that encrypted password somewhere.

Quote:

Thanks for the info on passwd and "$1$" - didn't know that omitting "$1$" would work.

You can't just remove the begining of the encrypted password. What I was trying to say was that the encrypted password created by the passwd command starts $1$ but if you create an encrypted password (either using crypt as in my perl sample, or through mkpasswd) that will still be valid.