[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: creating new users on debian

On Tue, Feb 01, 2005 at 07:25:12AM -0500, mack wrote:
> On Tue, 1 Feb 2005 11:02:35 +0100, Andreas Rippl <a.rippl@gmx.net> wrote:
> > On Mon, Jan 31, 2005 at 03:46:40PM -0500, mack wrote:
> > > I'm doing research on creating new users on a debian radius server
> > > using a bash script.  I've been looking at adduser and useradd
> > > commands today, but can't seem to figure out how to fit it together.
> > > Adduser is an interactive command and for some reason the useradd
> > > command doesn't seem to be creating users correctly in order to
> > > authenticate.  I've read the man pages on these commands. Any help
> > > would be appreciated.
> > >
> > > Thanks.
> > >
> > > mack
> > >
> > > 
> > Hi Mack,
> > 
> > perhaps a stupid suggestion, but useradd with the -p option enters the
> > unencrypted passwd into /etc/shadow, so authentification can't work.
> > The passwd needs to be supplied to the -p option encrypted.
> > A (non-interactive) way around is to not use -p option and to do
> > a '/usr/bin/passwd $username' in a second step. There is also a
> > Shadow-Password-HOWTO which might have some info on supplying encrypted
> > passwds to -p.
> > 
> > Anyway, the README.Debian under /usr/share/doc/passwd says to use the
> > adduser command...
> > 
> > Now, if you meant that user creation works and you only have problems
> > with the radius configuration, ignore this drivel.
> > 
> > Hth,
> > 
> > Andreas
> > 
>  
> Thank you for your advice and suggestions!!
> 
> I tried to command /usr/bin/passwd $USERNAME like you said, but at the
> command prompt it then goes into interactive mode asking for the new
> password.
> 
> Since I will need to run a non-interactive script to a remote machine
> to set up new user accounts, anything that prompts the sysadmin is no
> good.  We've got a lot of people creating new accounts from our  the
> call center.  When the new accounts are created in the billing
> software, it makes a remote connection to the radius server.  There
> has to be a script on the radius server that can create a username and
> password.
> 
> On an old RedHat machine the perl script the former admin used worked
> fine.  But the version of passwd on Debian does not allow to use the
> --stdin flag which is necessary for the script to run non-interactive.
> 
> I'm not a perl script writer (yet!), so I'm trying to write just a
> simple bash script to do the same thing.
> 
> So my problem is how to get passwd to work without someone sitting
> there typing in the user's new password.....
> 
> Thanks for any help!!!
> 
> mack
> 
> -- 
> mackines@gmail.com
> 
> 
Hi Mack,

I don't really know how Radius works, but I'll assume for the sake of
cutting down the problem that you want to create a user
non-interactively from the shell. As such, I'll leave it to you to
ensure the security of this approach. As you'll have to run the script
you're planning as root anyway, I guess the following might work:

- create the user with 'useradd' and the options you'd like - but not any
  password.

For the next step you need to install the expect package:

Description: A program that "talks" to other programs
 Expect is a program that "talks" to other interactive programs
 according to a script.  Following the script, Expect knows what
 can be expected from a program and what the correct response
 should be.  An interpreted language provides branching and high-
 level control structures to direct the dialogue.  In addition,
 the user can take control and interact directly when desired,
 afterward returning control to the script.

With this (Tcl-based) scripting language, you can supply data
non-interactively to an interactive program. Useful!!! :)
Also, there is no need to fear, as with the package comes an example
script, 'autoexpect', under /usr/share/doc/expect/examples/autoexpect.
This script lets you specify 'autoexpect /usr/bin/passwd $USERNAME';
then you will be prompted to give the new passwd interactively twice
and as a result you will have a script called script.exp. Now what is
left to do is replace the interactively given passwd with one which you
can supply when calling the expect script, like 
'script.exp newuser newpasswd'; the script I created after playing
around a bit with the input parameters (called e.g. [lrange $argv 1 1] 
here) is the following:

--- 8< ------------------------
#!/usr/bin/expect -f
# Usage: passwd_noninteract.exp username newpasswd
#
set force_conservative 1  ;# set to 1 to force conservative mode even if
                          ;# script wasn't run conservatively originally
if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
                sleep .1
                exp_send -s -- $arg
        }
}

set timeout -1
spawn passwd [lrange $argv 0 0]
match_max 100000
expect -exact "Enter new UNIX password: "
send -- "[lrange $argv 1 1]\r"
expect -exact "\r
Retype new UNIX password: "
send -- "[lrange $argv 1 1]\r"
expect eof
--- 8< ------------------------

Note that I had to use force_conservative, as otherwise the script runs
too fast. This script can now be called from your shell script for user
creation. I would be happy if people can proove that there is a much
simpler way to create users non-interactively, but anyway, that's what I
came up with.


Good luck

Andreas
Reply to: