Eve Atley wrote:
We have SSH running on our Linux Redhat 9 server. I set up new users to dump
them upon initial login to a common directory using the following command:
useradd -M -d /home/shared username -p password
passwd username (for some reason, -p password doesn't work?)
-p password is expecting the ENCRYPTED password (as you see it
in /etc/shadow), not the cleartext password...
Inother words:
useradd -p hello_there brickie
is going to create a user brickie with an unknown password.
you need a program to produce an encrypted password (either in
crypt form (8 character limit) or the md5-sum format (roughly unlimited).
If you have grub on your system, grub-md5-crypt will
read a password (twice) and then produce an encrypted version
of it.. Unfortunately, it also generates a good bit of other output.
the following, howeveer seems to work, OK:
( echo hello_there ; usleep 50000 ; echo hello_there) |
grub-md5-crypt 2> /dev/null | tail -1
(the above is all on one line)
It essentially throws out all the errors on stderr, and only saves
the last line of output on stdout.
The result is now usable as a -p parameter for .useradd.
useradd -p ` ( echo hello_there ; usleep 50000 ; echo hello_there) |
grub-md5-crypt 2> /dev/null | tail -1 ` brickie
if you want to put that script into a file:
% cat bin/pwcrypt
@!/bin/bash
read line
[ -n "$line" ] || { echo " $0: Password missing ; exit 1 "; }
( echo "$line" ; usleep 50000 ; echo "$line" ) |
grub-md5-crypt 2> /dev/null | tail -1
@! useradd -p 'echo my new password | pwcrypt` brickie2
Would then create the user brickie2 with the password "my new password"
I also have a perl script that produces the old 'crypt' form
output -- but if you can use the md5sum format, I strongly
recommend it. Somebody has already done up a dictionary attack on
the 2 billion most likely 8 character passwords.
The reason why passwd will NOT accept cleartext passwords
on the command line is that (however sort the command runs),
command parameters are visible in the output of 'ps'.
If a not-nice user sees the useradd command when he is
doing a random 'ps' (or it shows up in the output of 'top'.
a cleartext password on the command line would then give
random users the password for the new user (bad!).
This is why I'm still not accepting a commandline password
for pwcrypt. somebody might see it and realize what it's
likely to be used for. This way it only shows up as a
parameter on an echo command (which is usually a shell
builtin). This is basically security by obscurity, but
it's the best you can hope for if you INSIST on being
able to sepecify the password on the commandline.
--
Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED]
http://www.bcgreen.com/~samuel/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
