6

I want to add a user to the linux system from a script, but I don't want to invent or care for the password. This should be done automatically.

The goal is to generate ssh-keys and this user needs only to login remotely. Or alternatively this user will be use from a sudo user via sudo su - thatuser.

I want to save the hassle inventing and typing some secure password every time I create such a user, and also do this from scripts.

No one should be able to login with password as this user, so my idea is he gets a good random password but nobody knows it.

I could write a script that generates something ramdom but mabye there is something built in? Or just deactivate the password (so that password login is not possible, but ssh login with keys and sudo su - thatuser works fine.

Edit: There are already some answers, great, but I am still not sure how to do it. How would the script look like?

It should behave like adduser and create everything standard (like std. home dir, skeleton copied, group with the same name)

Edit2: In the end and with your the help I found a solution that works and I want to share it. This is a script that I call "adduser-nopasswd" and I put it into /usr/local/sbin (is this a good place?) and it can be executed only by root. It takes one argument, which is the name for the new group and user at the same time:

#!/bin/sh -e
# the -e makes the script exit immediateley if one command fails
NAME=$1
groupadd $NAME
useradd --create-home -d /home/$NAME --shell /bin/bash -g $NAME $NAME

Any comments on this function?

user12096
  • 927
  • 6
  • 23
  • 39
  • Are you looking for someone to make you the whole solution? Creating a user then generating the SSH Key pair and setting it for that user? – sclarson Jul 16 '09 at 13:30
  • As Sparks says, the answers offer you various ways to do it. At this point, you need to explain what you don't understand or show what you've tried to do that failed. – Telemachus Jul 16 '09 at 13:32
  • You don't need to specify the home directory, shell or group name as they are all the default. Using just the command from my answer below (useradd --create-home ) you will achieve exactly the same results as your adduser-nopasswd script on most modern systems. – Mikael Auno Jul 16 '09 at 22:15

6 Answers6

16

If you do not specify a password to useradd it won't get set (and the user will thus not be able to log in via password). Note that useradd and adduser are two different commands.

The following should create the new user with its own group, create it's home directory (at the default location, as we do not specify any location) and copy skeleton files.

useradd --create-home <user>

Then you just create the directory .ssh in its home directory, chmod it to 0700 (SSH will want this for security), and put the users public key in .ssh/authorized_keys (the private/public key pair should be generated by the user him-/herself, on his/her own computer).

If you want to disable the password of an already existing account you can use the following.

usermod --lock <user>
Mikael Auno
  • 962
  • 7
  • 12
  • If you have set a user's password, then disabled it by locking it, you can re-enable it using: usermod -U This works on CentOS, consult your usermod man pages to find the appropriate command line option – mj1531 Dec 25 '09 at 01:37
3

Utility /usr/sbin/useradd always created users for me without requiring passwords. I've written many a script that took another system's /etc/passwd and created users for me.

Alternatively, if you look at the documentation for mercurial-server, you'll see how to set up many SSH keys (clients) to run programs as just one user on the server side.

kmarsh
  • 3,103
  • 16
  • 22
2
# cat user-pw_list
john:p455W0rD
geany:p455W0rD


# cat CreateUsers.sh
#!/bin/bash
#
# filename: CreateUsers.sh
# usage: cat "User:passwd" | $0
#
set -e
# set -x
while read ; do
  USER=${REPLY%%:*}
  PWD=${REPLY##*:}
  # alternative for random passwd, where $RANDOM is a bash function
  #PWD=${REPLY%%:*}$RANDOM$RANDOM

  echo -e "adding User $USER "
  # for disabled users: /usr/sbin/nologin, otherwise /bin/bash
  /usr/sbin/useradd -c automaticUser -m -k/dev/null -s /usr/sbin/nologin $USER
  echo "$USER:$PWD" | chpasswd --md5 $USER

  ## also add user to samba:
  #echo -e "$PWD\n$PWD" | pdbedit -t -u $USER
done

Ok, lets add our users:

cat user-pw_list | ./CreateUsers.sh
ThorstenS
  • 3,122
  • 19
  • 21
1

If you want just builtin commands for generating random passwords, you can try this:

dd if=/dev/urandom bs=16 count=1 2>/dev/null | uuencode - | head -n 2 | grep -v begin | cut -b 2-10

This will read 16 bytes of random data, uuencode them to convert them to printable characters, cut through the uuencode extra output, then only take the random characters from the encoding. Here is an example output:

$ dd if=/dev/urandom bs=16 count=1 2>/dev/null | uuencode - | head -n 2 | grep -v begin | cut -b 2-10

RJ<B6QYRO

Nasko
  • 727
  • 3
  • 5
0

Put a * in the password field in /etc/shadow (this should happen if you don't set a password). This will prevent the user from logging in.

Cian
  • 5,838
  • 1
  • 28
  • 40
0

I use passook to generate passwords on login servers I maintain. While logging in isn't a requirement in your case I find when it is, passook generates memorable enough passwords.

John Barrett
  • 151
  • 3