Using the passwd command from within a shell script
I’m writing a shell script to automatically add a new user and update their password. I don’t know how to get passwd to read from the shell script instead of interactively prompting me for the new password. My code is below.
15 Answers 15
--stdin This option is used to indicate that passwd should read the new password from standard input, which can be a pipe. adduser "$1" echo "$2" | passwd "$1" --stdin [Update] a few issues were brought up in the comments:
Your passwd command may not have a —stdin option: use the chpasswd utility instead, as suggested by ashawley.
If you use a shell other than bash, «echo» might not be a builtin command, and the shell will call /bin/echo . This is insecure because the password will show up in the process table and can be seen with tools like ps .
In this case, you should use another scripting language. Here is an example in Perl:
#!/usr/bin/perl -w open my $pipe, '|chpasswd' or die "can't open pipe: $!"; print "$username:$password"; close $pipe You should quote your parameter expansions. Moreover; this is in no way shape or form portable or even recommended in the slightest. See my reply for some more information on the topic.
Please don’t use echo . | password! The password will then be visible to any other users who run ps. And the more places you pass the password through (different programs, files, pipes, etc), the higher the chances are that it will leak out somewhere.
@lhunath: you are right about the quoting, I’ll fix that. @Brian: «echo» is a bash builtin, it will not show up in ‘ps’ output (at least in bash, not sure about sh)
@glennjackman please note that here strings implicitly create temporary files that may be readable by outside sources.
The only solution works on Ubuntu 12.04:
echo -e "new_password\nnew_password" | (passwd user) But the second option only works when I change from:
echo "password:name" | chpasswd echo "user:password" | chpasswd See explanations in original post: Changing password via a script
What if the password contains a «\n» in the first case? There is a way to handle this? Such as my@secret\npasword123
Similar to the first but automatically repeats the password. Also, use sudo otherwise it will ask for current password first and mess this up. echo password | sed ‘s/.*/\0\n\0/’ | sudo passwd -q $USER 2> /dev/null
Nowadays, you can use this command:
For some reason I received the following error when trying your command: «Authentication token manipulation error». Adding sudo before chpasswd fixed this for me.
@LaurentVanWinckel — chpasswd only works with sudo / root rights. Therefore, to execute it as an user other than root , that user has to be in the sudo group: echo ‘user:pass’ | sudo chpasswd . When executing this one-liner on a prompt, make sure to prepend it with an additional space. Otherwise the command including the sensitive password will likely be written to the user’s prompt history file, e.g. ~/.bash_history .
Nothing you can do in bash can possibly work. passwd(1) does not read from standard input. This is intentional. It is for your protection. Passwords were never intended to be put into programs, or generated by programs. They were intended to be entered only by the fingers of an actual human being, with a functional brain, and never, ever written down anywhere.
Nonetheless, we get hordes of users asking how they can circumvent 35 years of Unix security.
It goes on to explain how you can set your shadow(5) password properly, and shows you the GNU-I-only-care-about-security-if-it-doesn’t-make-me-think-too-much-way of abusing passwd(1) .
Lastly, if you ARE going to use the silly GNU passwd(1) extension —stdin , do not pass the password putting it on the command line.
echo $mypassword | passwd --stdin # Eternal Sin. echo "$mypassword" | passwd --stdin # Eternal Sin, but at least you remembered to quote your PE. passwd --stdin The last is the best you can do with GNU passwd . Though I still wouldn't recommend it.
Putting the password on the command line means anyone with even the remotest hint of access to the box can be monitoring ps or such and steal the password. Even if you think your box is safe; it's something you should really get in the habit of avoiding at all cost (yes, even the cost of doing a bit more trouble getting the job done).
How to create a new username and password in Bash script?
I am trying to create a script where it adds a new user and password and also checks to see if that user and password already exist, while running in Root. So, my script is running and working just fine. It only runs in the root and it correctly checks to see if a username is already being used. But, I cannot seem to add a new user and password. The following is my whole script:
#!/bin/bash #Creating a script that creates a new user ROOT_UID=0 #Root has $UID 0 SUCCESS=0 E_USEREXISTS=70 E_NOTROOT=65 #Not root #Run as root, and this checks to see if the creater is in root. If not, will not run if [ "$UID" -ne "$ROOT_UID" ]; then echo "Sorry must be in root to run this script" exit $E_NOTROOT fi if [ $# -eq 2 ]; then username=$1 pass=$2 grep -q "$username" /etc/passwd if [ $? -eq $SUCCESS ]; then echo "User $username already exists" echo "Please choose another username" exit $E_USEREXISTS fi echo $pass | passwd $username --stdin echo "the account is setup" else echo "this program needs 2 arguments and you have given $#" echo "you have to call the script $0 username and the pass" fi exit 0 And I am not getting a straight up error, but here is an example of what is happening: I try to add someone (username then password):
[root@localhost Documents]# ./Script dkong 123bif passwd: Unknown user name 'dkong' the account is setup Could someone help direct me? I want it to create a new username and password and I am not understanding why it is not. It has been a while since I have used scripts so I am sorry if the answer is obvious! Just need a little direction. Thank you in advance!
Write script to create multiple users with pre-defined passwords
The problem is, it does not fill the passwords. And 1 more thing, I want the script to fill the passwords twice. Any suggestions?
5 Answers 5
You have to supply the password on stdin. Replace:
or, as suggested by mklement0:
(The script reads these passwords from a plain text file. I will assume that your situation is some special case for which this is not as dangerous as it normally would be.)
Thank you. I tried and I get this error Enter new UNIX password: Retype new UNIX password: Sorry, passwords do not match passwd: Authentication token manipulation error passwd: password unchanged
@BabaMok: That suggests that you haven't entered the here-string correctly; perhaps try on a single line with passwd "$iuser"
Thank you so much both of you. It works! I changed from passwd $iuser to passwd "$iuser"
John1024's answer is the correct one - his warning about reading passwords from plain-text files bears repeating.
Let me show the solution in context, without the file-descriptor acrobatics ( exec 3< , . ):
#!/bin/bash # NOTE: Be sure to run this script with `sudo`. # Read user and password while read iuser ipasswd; do # Just print this for debugging. printf "\tCreating user: %s with password: %s\n" $iuser $ipasswd # Create the user with adduser (you can add whichever option you like). useradd -m -s /bin/false $iuser # Assign the password to the user. # Password is passed via stdin, *twice* (for confirmation). passwd $iuser - paste users.txt passwords.txt reads corresponding lines from the two files and puts them on a single line, separated with \t .
- The result is piped to stdin via a process substitution ( <(. ) ).
- This allows read to read from a single source.
- $\n is an ANSI C-quoted string that produces a (literal) newline.
How to set user passwords using passwd without a prompt?
I am writing a script to add a large amount of users to a system. Part of this involves setting default passwords for each user. How can I set users' passwords without it prompting me for the password up front? Unfortunately passwd doesn't seem to take an argument stating the new password to set. I'm using Ubuntu 11.10.
8 Answers 8
usermod --password PASSWORD USERNAME The only thing is this needs a pre-encrypted password string which you'd have to generate first.
In order to generate the encrypted password you can use openssl . For example:
usermod --password $(echo MY_NEW_PASSWORD | openssl passwd -1 -stdin) USERNAME You can also use openssl to generate the encrypted password. For example: usermod --password $(echo my_new_password | openssl passwd -1 -stdin) USERNAME
Three years too late. I couldn't make the answer @EricSmith, but I did discover a simpler version of the command that did work: usermod --password $(openssl passwd -1 )
Always a good idea to put the PASSWORD in single quotes since it may contains one or more $1 , $2 . which you don't want to be substitued (i.e. for nothing, falsifying the hash). usermod --password '$HASH' $_user
You should look at the chpasswd command (if available in your linux flavor):
echo 'userid:newpasswd' | chpasswd Or, you can cat a file listing userid:passwd for each account on a separate line.
chpasswd is the obvious answer, but it has a major flaw: the OP wants to write a script, so the plaintext passwords will be stored on disk. If you're on an SSD there is no reliable way to delete the script after use. Worse, if you change the script you'll probably leave previous versions on the SSD.
Inspired by Eric Smith's idea, combining openssl passwd and usermod -p command worked. Generate hashed value of password along with salt value.
$ openssl passwd -1 -salt 5RPVAd clear-text-passwd43 $1$5RPVAd$vgsoSANybLDepv2ETcUH7. Then, copy the encrypted string to usermod. Make sure to wrap it with single quote.
$ usermod -p '$1$5RPVAd$vgsoSANybLDepv2ETcUH7.' root Check it out in shadow file.
$ grep root /etc/shadow root:$1$5RPVAd$vgsoSANybLDepv2ETcUH7.:17774:0:99999:7. echo -e "NEW_PASSWORD\nNEW_PASSWORD" | passwd username Here is a good solution, just one line:
useradd -p $(openssl passwd -1 "$pass") "$user" I can add others parameters like -m to create the home directoty, etc.
You should use password aging, and set the users so that they must change their password on the first login. See this article.
(echo user; echo password) | passwd works for me both in physical host and container, for various OSes (ubuntu xenial,bionic, debian9,10, centos75,76, coreos)
echo user:password | chpasswd works for some OSes, but some OS such as debian9,10 will show an error can not connect to /var/run/nscd/socket since it use /etc/nsswitch.conf to determine where it store the password.
I'm looking to do this myself and to keep it from being something that can be intercepted either via ps (which could be overcome with changing /proc , but that's invasive). For me, it looks like the best way to do this will be using a tmpfs created in ram and hold all the info there as root only, chmod 600 files.
mkdir /mnt/tmp mount -o size=10M -t tmpfs none /mnt/tmp Use the chpass /mnt/tmp/pass command as others suggested
this 50 reputation to answer things annoys me greatly.