Home / server / Questions / 41541
Accepted
user12096
Asked: 2009-07-17 04:08:58 +0800 CST

How to add a linux user with a random or invalid password from a script

  • 772

I want to add a user to the linux system from a script, but I don't want to invent or care for the password. This should be done automatically.

The goal is to generate ssh-keys and this user needs only to login remotely. Or alternatively this user will be use from a sudo user via sudo su - thatuser.

I want to save the hassle inventing and typing some secure password every time I create such a user, and also do this from scripts.

No one should be able to login with password as this user, so my idea is he gets a good random password but nobody knows it.

I could write a script that generates something ramdom but mabye there is something built in? Or just deactivate the password (so that password login is not possible, but ssh login with keys and sudo su - thatuser works fine.

Edit: There are already some answers, great, but I am still not sure how to do it. How would the script look like?

It should behave like adduser and create everything standard (like std. home dir, skeleton copied, group with the same name)

Edit2: In the end and with your the help I found a solution that works and I want to share it. This is a script that I call "adduser-nopasswd" and I put it into /usr/local/sbin (is this a good place?) and it can be executed only by root. It takes one argument, which is the name for the new group and user at the same time:

#!/bin/sh -e
# the -e makes the script exit immediateley if one command fails
NAME=$1
groupadd $NAME
useradd --create-home -d /home/$NAME --shell /bin/bash -g $NAME $NAME

Any comments on this function?

linux unix security permissions user-management

6 Answers

  1. Best Answer

    If you do not specify a password to useradd it won't get set (and the user will thus not be able to log in via password). Note that useradd and adduser are two different commands.

    The following should create the new user with its own group, create it's home directory (at the default location, as we do not specify any location) and copy skeleton files.

    useradd --create-home <user>

    Then you just create the directory .ssh in its home directory, chmod it to 0700 (SSH will want this for security), and put the users public key in .ssh/authorized_keys (the private/public key pair should be generated by the user him-/herself, on his/her own computer).

    If you want to disable the password of an already existing account you can use the following.

    usermod --lock <user>
    • 16

  2. Utility /usr/sbin/useradd always created users for me without requiring passwords. I've written many a script that took another system's /etc/passwd and created users for me.

    Alternatively, if you look at the documentation for mercurial-server, you'll see how to set up many SSH keys (clients) to run programs as just one user on the server side.

    • 3 
  3. # cat user-pw_list
john:p455W0rD
geany:p455W0rD


# cat CreateUsers.sh
#!/bin/bash
#
# filename: CreateUsers.sh
# usage: cat "User:passwd" | $0
#
set -e
# set -x
while read ; do
  USER=${REPLY%%:*}
  PWD=${REPLY##*:}
  # alternative for random passwd, where $RANDOM is a bash function
  #PWD=${REPLY%%:*}$RANDOM$RANDOM

  echo -e "adding User $USER "
  # for disabled users: /usr/sbin/nologin, otherwise /bin/bash
  /usr/sbin/useradd -c automaticUser -m -k/dev/null -s /usr/sbin/nologin $USER
  echo "$USER:$PWD" | chpasswd --md5 $USER

  ## also add user to samba:
  #echo -e "$PWD\n$PWD" | pdbedit -t -u $USER
done

    Ok, lets add our users:

    cat user-pw_list | ./CreateUsers.sh
    • 2

  4. If you want just builtin commands for generating random passwords, you can try this:

    dd if=/dev/urandom bs=16 count=1 2>/dev/null | uuencode - | head -n 2 | grep -v begin | cut -b 2-10

    This will read 16 bytes of random data, uuencode them to convert them to printable characters, cut through the uuencode extra output, then only take the random characters from the encoding. Here is an example output:

    $ dd if=/dev/urandom bs=16 count=1 2>/dev/null | uuencode - | head -n 2 | grep -v begin | cut -b 2-10

    RJ<B6QYRO

    • 1

  5. Put a * in the password field in /etc/shadow (this should happen if you don't set a password). This will prevent the user from logging in.

    • 0

  6. I use passook to generate passwords on login servers I maintain. While logging in isn't a requirement in your case I find when it is, passook generates memorable enough passwords.

    • 0