Linux passwords in scripts

Using the passwd command from within a shell script

I’m writing a shell script to automatically add a new user and update their password. I don’t know how to get passwd to read from the shell script instead of interactively prompting me for the new password. My code is below.

15 Answers 15

from » man 1 passwd «:

So in your case

[Update] a few issues were brought up in the comments:

Your passwd command may not have a —stdin option: use the chpasswd utility instead, as suggested by ashawley.

If you use a shell other than bash, «echo» might not be a builtin command, and the shell will call /bin/echo . This is insecure because the password will show up in the process table and can be seen with tools like ps .

In this case, you should use another scripting language. Here is an example in Perl:

The only solution works on Ubuntu 12.04:

But the second option only works when I change from:

See explanations in original post: Changing password via a script

Nowadays, you can use this command:

Read the wise words from:

Nothing you can do in bash can possibly work. passwd(1) does not read from standard input. This is intentional. It is for your protection. Passwords were never intended to be put into programs, or generated by programs. They were intended to be entered only by the fingers of an actual human being, with a functional brain, and never, ever written down anywhere.

Nonetheless, we get hordes of users asking how they can circumvent 35 years of Unix security.

It goes on to explain how you can set your shadow(5) password properly, and shows you the GNU-I-only-care-about-security-if-it-doesn’t-make-me-think-too-much-way of abusing passwd(1) .

Lastly, if you ARE going to use the silly GNU passwd(1) extension —stdin , do not pass the password putting it on the command line.

The last is the best you can do with GNU passwd . Though I still wouldn’t recommend it.

Putting the password on the command line means anyone with even the remotest hint of access to the box can be monitoring ps or such and steal the password. Even if you think your box is safe; it’s something you should really get in the habit of avoiding at all cost (yes, even the cost of doing a bit more trouble getting the job done).

Источник

How to give password in shell script?

In a shell script file I am using some commands like scp and make install which ask for my password.

I run a shell script to compile a big project, and after some time it asks for my password for using scp . I need to wait for that process and give the password after that.

I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?

5 Answers 5

Short answer: DON’T

Use public key authentication for SCP and sudo with NOPASSWD directive for make install

If you can’t use ssh trust and must enter the password later on in your script, use read -s -p «Password:» USER_PASSWORD to silently read in the password. You can then export USER_PASSWORD to an expect script, avoiding it being displayed in ps :

I think it’s a better idea to generate an authentication key, and use this key based authentication instead of writing plain text passwords into your scripts.

No, you won’t find any method to use SSH config files or a command line option to have a password hard coded and I’m sure this is by design.

If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don’t have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.

If you are using this across several users who you don’t want to be bothered to create keys and copy them to the server, you could script that also. It wouldn’t be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can’t without a password, then you’d ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own

/.script/key/ directory so that you would discourage users access to the SSH server.

If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.

Источник

How To Linux Set or Change User Password

Linux Set User Password

Type following passwd command to change your own password:
$ passwd
Sample Outputs:

The user is first prompted for his/her old password if one is present. This password is then encrypted and compared against the stored password. The user has only one chance to enter the correct password. The super user is permitted to bypass this step so that forgotten passwords may be changed. A new password is tested for complexity. As a general guideline, passwords should consist of 10 to 20 characters including one or more from each of following sets:

1. Lower case alphabetics
2. Upper case alphabetics
3. Digits 0 thru 9
4. Punctuation marks/spacial characters

Linux change password for other user account

You need to login as the root user, type the following command to change password for user vivek:
# passwd vivek
OR
$ sudo passwd vivek
Sample putput:

• vivek – is username or account name.

Passwords do not display to the screen when you enter them. For example:

Linux changing user password using passwd

Linux Change Group Password

When the -g option is used, the password for the named group is changed. In this example, change password for group sales:
# passwd -g sales
The current group password is not prompted for. The -r option is used with the -g option to remove the current password from the named group. This allows group access to all members. The -R option is used with the -g option to restrict the named group for all users.

Changing user passwords on Linux

As a Linux system administrator (sysadmin) you can change password for any users on your server. To change a password on behalf of a user:

1. First sign on or “su” or “sudo” to the “root” account on Linux, run: sudo -i
2. Then type, passwd tom to change a password for tom user
3. The system will prompt you to enter a password twice

To change or set a new root (superuser) password type:
$ sudo passwd

Forcing Linux user to change password at their next login

By default, Linux passwords never expire for users. However, we can force users to change their password the next time they log in via GUI or CLI methods. The syntax is straightforward:
$ sudo passwd -e
$ sudo passwd —expire
Let us immediately expire an account’s password:
$ sudo passwd -e marlena
The system will confirm it:

When user try to login via ssh command, they will see the following on screen:

Locking and Unlocking user password of the named account

Note that the following local command does not disable the account. The user may still be able to login using another authentication token, such as an SSH key. To disable the account, administrators should use either usermod —expiredate 1 or sudo passwd —expire command. Also, users with a locked password are not allowed to change their password to get around the security policy set by sysadmin.

We can lock the password as follows:
$ sudo passwd -l
This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ! at the beginning of the password in the /etc/shadow file. Want to unlock the password, try:
$ sudo passwd -u
The above command option re-enables a password by changing the password back to its previous value. In other words, to the value before using the -l option.

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

A note about setting up a secure Linux password

Compromises in password security typically result from careless password selection. Avoid common password such as:

1. Words which appears in a dictionary
2. Your first and last name
3. Pet names
4. Kids or spouses names
5. License number
6. Date of birth (DoB)
7. Home or office address

I strongly recommend that you generate a unique password for all user accounts using your chosen password manager.

Conclusion

The passwd command line utility is used to update or change user’s password. The encrypted password is stored in /etc/shadow file and account information is in /etc/passwd file. To see all user account try grep command or cat command as follows:
$ cat /etc/passwd
$ grep ‘^userNameHere’ /etc/passwd
$ grep ‘^tom’ /etc/passwd
The guidance given in this quick tutorial should work with any Linux distribution, including Alpine, Arch, Ubuntu, Debian, RHEL, Fedora, Oracle CentOS, SUSE/OpenSUSE and other popular Linux distros.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

How to automatically add user account AND password with a Bash script?

I need to have the ability to create user accounts on my Linux (Fedora 10) and automatically assign a password via a bash script(or otherwise, if need be).

It’s easy to create the user via Bash e.g.:

Is it possible to assign a password in Bash, something functionally similar to this, but automatically:

19 Answers 19

You could also use chpasswd:

so, you change password for user username to new_password .

You can run the passwd command and send it piped input. So, do something like:

I was asking myself the same thing, and didn’t want to rely on a Python script.

This is the line to add a user with a defined password in one bash line:

-s /bin/bash , -m Crates home directory, -s specifies users defualt shell, substitute password and user for your needs.

The code below worked in Ubuntu 14.04. Try before you use it in other versions/linux variants.

I liked Tralemonkey’s approach of echo thePassword | passwd theUsername —stdin though it didn’t quite work for me as written. This however worked for me.

-e is to recognize \n as new line.

sudo is root access for Ubuntu.

The double quotes are to recognize $ and expand the variables.

The above command passes the password and a new line, two times, to passwd , which is what passwd requires.

If not using variables, I think this probably works.

Single quotes should suffice here.

The following works for me and tested on Ubuntu 14.04. It is a one liner that does not require any user input.

Taken from @Tralemonkey

Single liner to create a sudo user with home directory and password.

You can use the -p option.

Unfortunately, this does require you to hash the password yourself (where passwd does that for you). Unfortunately, there does not seem to be a standard utility to hash some data so you’ll have to write that yourself.

Here’s a little Python script I whipped up to do the encryption for you. Assuming you called it pcrypt, you would then write your above command line to:

A couple of warnings to be aware of.

1. While pcrypt is running, the plaintext will be visible to any user via the ps command.
2. pcrypt uses the old style crypt function — if you are using something more moderns like an MD5 hash, you’ll need to change pcrypt.

Источник

How to get a password from a shell script without echoing

I have a script that automates a process that needs access to a password protected system. The system is accessed via a command-line program that accepts the user password as an argument.

I would like to prompt the user to type in their password, assign it to a shell variable, and then use that variable to construct the command line of the accessing program (which will of course produce stream output that I will process).

I am a reasonably competent shell programmer in Bourne/Bash, but I don’t know how to accept the user input without having it echo to the terminal (or maybe having it echoed using ‘*’ characters).

Can anyone help with this?

10 Answers 10

Here is another way to do it:

The read -s will turn off echo for you. Just replace the echo on the last line with the command you want to run.

A POSIX compliant answer. Notice the use of /bin/sh instead of /bin/bash . (It does work with bash, but it does not require bash.)

Under Linux (and cygwin) this form works in bash and sh. It may not be standard Unix sh, though.

For more info and options, in bash, type «help read».

The -s option of read is not defined in the POSIX standard. See http://pubs.opengroup.org/onlinepubs/9699919799/utilities/read.html. I wanted something that would work for any POSIX shell, so I wrote a little function that uses stty to disable echo.

This function behaves quite similar to the read command. Here is a simple usage of read followed by similar usage of read_secret . The input to read_secret appears empty because it was not echoed to the terminal.

Here is another that uses the -r option to preserve the backslashes in the input. This works because the read_secret function defined above passes all arguments it receives to the read command.

Finally, here is an example that shows how to use the read_secret function to read a password in a POSIX compliant manner.

I found to be the the askpass command useful

Every input character is replaced by *. See: Give a password ****

Turn echo off using stty , then back on again after.

You can also prompt for a password without setting a variable in the current shell by doing something like this:

You can add several of these prompted values with line break, doing this:

For anyone needing to prompt for a password, you may be interested in using encpass.sh. This is a script I wrote for similar purposes of capturing a secret at runtime and then encrypting it for subsequent occasions. Subsequent runs do not prompt for the password as it will just use the encrypted value from disk.

It stores the encrypted passwords in a hidden folder under the user’s home directory or in a custom folder that you can define through the environment variable ENCPASS_HOME_DIR. It is designed to be POSIX compliant and has an MIT License, so it can be used even in corporate enterprise environments. My company, Plyint LLC, maintains the script and occasionally releases updates. Pull requests are also welcome, if you find an issue. 🙂

Источник