Changing a users password inside a script
Posted by Steve on Mon 30 May 2011 at 15:05
In an ideal world you'd never need to change the password associated with a user account without using passwd, but there are times when it is helpful to script such things.
The naive attempts to automate the use of passwd will fail, so the standard advice has always been to use a tool like expect to interactively call the passwd binary.
But there is an alternative approach which is more sensible which is to use the usermod command to change a password.
Assume you have a user account called guest upon your system and you wish to set the user's password to openaccess you can do this by running:
# hash=$(echo openaccess | openssl passwd -1 -stdin) # usermod --pass="$hash" guest
If you wish you could combine that into a single line:
# usermod -p $(echo openaccess | openssl passwd -1 -stdin) guest
If a local user can see the commands you're running in the output of "ps", "top", or similar then this is insecure - but if you generate the hash remotely you should probably be safe enough.
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Good tip, thanks. I'd never seen that used before - and I agree it is better than the approach presented here.
[ Parent | Reply to this comment ]
Showing the password in a "ps" or storing it in the shell history file is a security no-no. To avoid this, and to also avoid showing the password in the screen:
echo user:$(stty -echo; read pass; stty echo; echo $pass) | chpasswdunset pass
-- haralder
[ Parent | Reply to this comment ]
read -p user: -s pass
echo $pass | chpasswd
unset pass
The -s tells read to do the no-echo part, and -p does the echo for you, helpfully doing it to stderr with a flush before reading input, and only if stdin is a tty (making automation of your script by something else nicer).
Since echo is a shell built-in, you don't need to worry about it showing up in ps listings generally.
[ Parent | Reply to this comment ]
echo "PlanTextPassword" | perl -nle 'print crypt($_, "\$1\$".join "", (".", "/", 0..9, "A".."Z", "a".."z")[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]);'
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Clearly that only works if you're using Perl..
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
echo "user:unencrypted_pass" | chpasswd
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
skx@birthday:~$ passwd --stdin skx passwd: unrecognized option '--stdin' Usage: passwd [options] [LOGIN]
(That is using Wheezy.)
[ Parent | Reply to this comment ]
oldpass
newpass
newpass
EOF
works for me on squeeze
[ Parent | Reply to this comment ]
echo -e "$password\n$password" | passwd $username
[ Parent | Reply to this comment ]
echo -e "$oldPassword\n$newPassword\n$newPassword" | passwd
...sorry for dubble posting ;)
[ Parent | Reply to this comment ]
where {VALUE} is what is expected from you and RANDOM_STRING is your encryption string to use to encrypt PASSWORD
[ Parent | Reply to this comment ]
echo username:password | chpasswd
This will change password for user `username' to `password'
-- Makc
[ Parent | Reply to this comment ]