Passing Secrets When Adding Users in GNU/Linux

For those running multi-user GNU/Linux instances not bound to a network identity management tool, there are a number of ways to provision local user accounts. As we're a fan of automating repetitive tasks such as the aforementioned, we'll examine how to handle silent password creation when adding users via a shell script.

When creating a user account, we need, at a minimum, a username and password. Here's a function to probe for a password:

get_password () { 

  while true
  
  do      
    read -r -s -p "Enter password to add and press [Enter]: " pass1 
    printf "\\n" 
    read -r -s -p "Re-enter password to add and press [Enter]: " pass2 
    printf "\\n" 

    if [[ "$pass1" != "$pass2" ]]; then 
      printf "%s\n" "ERROR: Passwords do no match."
    else 
      printf "%s\n" "Passwords match. Continuing..."
      break
    fi 
  done
} 

In this snippet, we use a while loop to prompt for a password twice, then check that both user-provided inputs match. Note the read flags: -r (to prevent the \ character from acting as an escape character; -s (to pass input silently, i.e. not print the password to standard output), and -p (to display the prompt).

Having quietly retrieved the password, we next need to create the user account, and then silently set a password for the same. Here's a function for doing so:

set_password_linux() { 

  printf "%s\\n" "Setting password..." 

  printf "%s" "$username:$pass2" | chpasswd 
}

We use the printf command with the stored variables for the username and password, then pipe (|) that information to the chpasswd command. In this way, we've securely obtained and pushed out a password that never appears on screen.

For the full-monty, see here.

Cheers.