Re: creating new users on debian
On Tue, Feb 01, 2005 at 07:25:12AM -0500, mack wrote:
> On Tue, 1 Feb 2005 11:02:35 +0100, Andreas Rippl <a.rippl@gmx.net> wrote:
> > On Mon, Jan 31, 2005 at 03:46:40PM -0500, mack wrote:
> > > I'm doing research on creating new users on a debian radius server
> > > using a bash script. I've been looking at adduser and useradd
> > > commands today, but can't seem to figure out how to fit it together.
> > > Adduser is an interactive command and for some reason the useradd
> > > command doesn't seem to be creating users correctly in order to
> > > authenticate. I've read the man pages on these commands. Any help
> > > would be appreciated.
> > >
> > > Thanks.
> > >
> > > mack
> > >
> > >
> > Hi Mack,
> >
> > perhaps a stupid suggestion, but useradd with the -p option enters the
> > unencrypted passwd into /etc/shadow, so authentification can't work.
> > The passwd needs to be supplied to the -p option encrypted.
> > A (non-interactive) way around is to not use -p option and to do
> > a '/usr/bin/passwd $username' in a second step. There is also a
> > Shadow-Password-HOWTO which might have some info on supplying encrypted
> > passwds to -p.
> >
> > Anyway, the README.Debian under /usr/share/doc/passwd says to use the
> > adduser command...
> >
> > Now, if you meant that user creation works and you only have problems
> > with the radius configuration, ignore this drivel.
> >
> > Hth,
> >
> > Andreas
> >
>
> Thank you for your advice and suggestions!!
>
> I tried to command /usr/bin/passwd $USERNAME like you said, but at the
> command prompt it then goes into interactive mode asking for the new
> password.
>
> Since I will need to run a non-interactive script to a remote machine
> to set up new user accounts, anything that prompts the sysadmin is no
> good. We've got a lot of people creating new accounts from our the
> call center. When the new accounts are created in the billing
> software, it makes a remote connection to the radius server. There
> has to be a script on the radius server that can create a username and
> password.
>
> On an old RedHat machine the perl script the former admin used worked
> fine. But the version of passwd on Debian does not allow to use the
> --stdin flag which is necessary for the script to run non-interactive.
>
> I'm not a perl script writer (yet!), so I'm trying to write just a
> simple bash script to do the same thing.
>
> So my problem is how to get passwd to work without someone sitting
> there typing in the user's new password.....
>
> Thanks for any help!!!
>
> mack
>
> --
> mackines@gmail.com
>
>
Hi Mack,
I don't really know how Radius works, but I'll assume for the sake of
cutting down the problem that you want to create a user
non-interactively from the shell. As such, I'll leave it to you to
ensure the security of this approach. As you'll have to run the script
you're planning as root anyway, I guess the following might work:
- create the user with 'useradd' and the options you'd like - but not any
password.
For the next step you need to install the expect package:
Description: A program that "talks" to other programs
Expect is a program that "talks" to other interactive programs
according to a script. Following the script, Expect knows what
can be expected from a program and what the correct response
should be. An interpreted language provides branching and high-
level control structures to direct the dialogue. In addition,
the user can take control and interact directly when desired,
afterward returning control to the script.
With this (Tcl-based) scripting language, you can supply data
non-interactively to an interactive program. Useful!!! :)
Also, there is no need to fear, as with the package comes an example
script, 'autoexpect', under /usr/share/doc/expect/examples/autoexpect.
This script lets you specify 'autoexpect /usr/bin/passwd $USERNAME';
then you will be prompted to give the new passwd interactively twice
and as a result you will have a script called script.exp. Now what is
left to do is replace the interactively given passwd with one which you
can supply when calling the expect script, like
'script.exp newuser newpasswd'; the script I created after playing
around a bit with the input parameters (called e.g. [lrange $argv 1 1]
here) is the following:
--- 8< ------------------------
#!/usr/bin/expect -f
# Usage: passwd_noninteract.exp username newpasswd
#
set force_conservative 1 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .1}
proc send {ignore arg} {
sleep .1
exp_send -s -- $arg
}
}
set timeout -1
spawn passwd [lrange $argv 0 0]
match_max 100000
expect -exact "Enter new UNIX password: "
send -- "[lrange $argv 1 1]\r"
expect -exact "\r
Retype new UNIX password: "
send -- "[lrange $argv 1 1]\r"
expect eof
--- 8< ------------------------
Note that I had to use force_conservative, as otherwise the script runs
too fast. This script can now be called from your shell script for user
creation. I would be happy if people can proove that there is a much
simpler way to create users non-interactively, but anyway, that's what I
came up with.
Good luck
Andreas
Reply to: