Passing Secrets When Adding Users in GNU/Linux
For those running multi-user GNU/Linux instances not bound to a network identity management tool, there are a number of ways to provision local user accounts. As we're a fan of automating repetitive tasks such as the aforementioned, we'll examine how to handle silent password creation when adding users via a shell script.
When creating a user account, we need, at a minimum, a username and password. Here's a function to probe for a password:
get_password () {
while true
do
read -r -s -p "Enter password to add and press [Enter]: " pass1
printf "\\n"
read -r -s -p "Re-enter password to add and press [Enter]: " pass2
printf "\\n"
if [[ "$pass1" != "$pass2" ]]; then
printf "%s\n" "ERROR: Passwords do no match."
else
printf "%s\n" "Passwords match. Continuing..."
break
fi
done
}
In this snippet, we use a while loop to prompt for a password twice, then check that both user-provided inputs match. Note the read
flags: -r
(to prevent the \
character from acting as an escape character; -s
(to pass input silently, i.e. not print the password to standard output), and -p
(to display the prompt).
Having quietly retrieved the password, we next need to create the user account, and then silently set a password for the same. Here's a function for doing so:
set_password_linux() {
printf "%s\\n" "Setting password..."
printf "%s" "$username:$pass2" | chpasswd
}
We use the printf
command with the stored variables for the username and password, then pipe (|
) that information to the chpasswd
command. In this way, we've securely obtained and pushed out a password that never appears on screen.
For the full-monty, see here.
Cheers.