I have been asked to create a large list of users on a large number of
Solaris 10 servers. They are normal local users, no NIS or LDAP or
anything like that.

I can create a script to run useradd - but is there a way to set the
password for each user (just defaulting to the username would be fine
as an initial password) without having to run passwd interactively?

On 17 Feb., 16:24, neilsolent <n...@solenttechnology.co.uk> wrote:
> I have been asked to create a large list of users on a large number of
> Solaris 10 servers. They are normal local users, no NIS or LDAP or
> anything like that.
>
> I can create a script to run useradd - but is there a way to set the
> password for each user (just defaulting to the username would be fine
> as an initial password) without having to run passwd interactively?

You could always create the users and then add a line to /etc/shadow
for each user. You would have to encode the password, IIRC.

In article 
<de4add6e-7157-4d4d-bcc6-94b7c7aca312@h5g2000yqh.googlegroups.com>,
 neilsolent <n@solenttechnology.co.uk> wrote:

> I have been asked to create a large list of users on a large number of
> Solaris 10 servers. They are normal local users, no NIS or LDAP or
> anything like that.
> 
> I can create a script to run useradd - but is there a way to set the
> password for each user (just defaulting to the username would be fine
> as an initial password) without having to run passwd interactively?

passwd (used to set the user's password) was explicitly written to only 
take input from the terminal device to prevent hacking.  So common 
things like redirecting stdin won't work in scripting.  You can use 
expect

http://expect.nist.gov/

which comes with a script to set passwords from the command line.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored]

Solaris doesn't have an interactive password setter that'll take
the password from the command line (that I know of).

It is easy to write a small PAM ap that you could put in your script...

  a.out userid password

In general, putting clear text passwords on the command line is bad,
so I guess the solaris folks don't want to give you such a gun for
fear you'll shoot off your foot...

-Mike

neilsolent <n@solenttechnology.co.uk> writes:
>I have been asked to create a large list of users on a large number of
>Solaris 10 servers. They are normal local users, no NIS or LDAP or
>anything like that.

>I can create a script to run useradd - but is there a way to set the
>password for each user (just defaulting to the username would be fine
>as an initial password) without having to run passwd interactively?

autopasswd out of the expect package. 

Its located in /usr/demo/expect/autopasswd on an OpenSolaris box. 

Or write your own /etc/passwd file manipulation in
perl/yourfavorite/scripting lang and do what you need to.

Thanks for the feedback everyone.
I've gone for this in the end:

passwd -df <username>

- so no password, and prompt for password on first logon. This can be
run non-interactively and is no less secure really than setting
password=username !

Not ideal, but hey!
If I start setting random passwords for everyone, then Ive got the
issue of securely communicating them with the end users.

neilsolent wrote:
> I have been asked to create a large list of users on a large number of
> Solaris 10 servers. They are normal local users, no NIS or LDAP or
> anything like that.
> 
> I can create a script to run useradd - but is there a way to set the
> password for each user (just defaulting to the username would be fine
> as an initial password) without having to run passwd interactively?
> 

You need to install extra tools.  One is expect, which can
automate the passwd program as others have mentioned.

You can also install apg or pwgen to generate reasonably strong
passwords (apg meets NIST standards).  These can be encrypted
using openssl or some similar package---I'm not sure but I
think Solaris has a native/trusted utility that can do this.

Finally you need a way to put the password into the shadow
file.  As root you can script sed or ed to add the password
to shadow.  Note there is an advisory lock file you can
use when editing that file, but I suggest you make a copy,
set the lock, edit only your copy, then when done replace
/etc/shadow with the copy (and release the lock).

The generated usernames and passwords can be sent as email
(which can use gpg to encrypt) or printed and hand delivered,
or sent as paper mail (p-mail?) to the recipients.  Even
unprotected email may be safe enough if the email never leaves
your internal mail server.

I have a script I use for Linux (which makes it easier/safer
to set the password using the Linux useradd -p option).  I use
this script to create student accounts for many classes at
once.  If you promise no snide remarks on my scripting ability
(or lack thereof) I would be happy to post it here.  Perhaps
it can serve as a starting point for you.

For an easier and more secure system, why not use ssh key
access instead?  That should be easier to automate.

-Wayne

> I have a script I use for Linux (which makes it easier/safer
> to set the password using the Linux useradd -p option). =A0I use
> this script to create student accounts for many classes at
> once. =A0If you promise no snide remarks on my scripting ability
> (or lack thereof) I would be happy to post it here. =A0Perhaps
> it can serve as a starting point for you.

Thanks for your post. I was really just after a quick fix - management
need a task done NOW, so I went with "passwd -df <userid>"
Yes please post the script for future reference. I would never make
snide remarks when people are helping for free.

> For an easier and more secure system, why not use ssh key
> access instead? =A0That should be easier to automate.

Yes, good idea. However no time to get and set those up across the
estate at the moment. Maybe next time :-(

neilsolent wrote:
>> I have a script I use for Linux (which makes it easier/safer
>> to set the password using the Linux useradd -p option).  I use
>> this script to create student accounts for many classes at
>> once.  If you promise no snide remarks on my scripting ability
>> (or lack thereof) I would be happy to post it here.  Perhaps
>> it can serve as a starting point for you.
> 
> Thanks for your post. I was really just after a quick fix - management
> need a task done NOW, so I went with "passwd -df <userid>"
> Yes please post the script for future reference. I would never make
> snide remarks when people are helping for free.
> 
>> For an easier and more secure system, why not use ssh key
>> access instead?  That should be easier to automate.
> 
> Yes, good idea. However no time to get and set those up across the
> estate at the moment. Maybe next time :-(

Here is my "add-users" Linux/bash script, for whatever it is worth.
(Constructive comments and improvement suggestions always welcome.)

-Wayne

#!/bin/bash -
# Script to add many student accounts at once.  This is the
# Fedora version.  Run as root only.
# See also the "disable-user" script to disable accounts before
# permanently removing them with 'remove-user'.
# TODO: currently invalid inputs abort program.  This should be
# changed to a loop to try 'n' times (say 3) before aborting.
#
#  $Id: add-users,v 1.6 2009/02/20 18:31:53 wayne Exp $
#
# Originally written 2002 by Wayne _____________.

PATH=/bin:/sbin:/usr/bin:/usr/sbin

PROG=${0##*/}
HOST=$(uname -n)
INSTRUCTOR=""
CREATE_ADDITIONAL_GRP="n"
ADD_INST_TO_ADDITIONAL_GRP="n"
ADD_INST_TO_STUTENT_GRPS="n"

md5crypt()
{
    echo "$1" |openssl passwd -1 -stdin
}

# A fancy separator line with optional centered title,
# of 68 characters ("-") wide.

drawLine()
{
    local num line title
    title="$1"
    let "num = ( 68 - ${#title} ) / 2"
    line=$(perl -e "print \"-\" x $num;")
    echo
    echo -n "$line"
    [ "$1" ] && echo -n " $1 "
    echo "$line"
    echo
}

getInst()
{
    local CURR_USER instructor

    if [ -x /usr/bin/logname ]
    then CURR_USER=`logname`
    else CURR_USER=`id -run`
    fi
    echo "What is your account name (default: $CURR_USER)? " >/dev/tty
    read instructor
    if [ "$instructor" = "" ]
    then instructor=$CURR_USER
    fi
    if ! grep -e "^$instructor:" /etc/passwd >/dev/null 2>&1
    then
        echo "No user account \"$instructor\" found!" >&2
        echo "Exiting..." >&2
        exit 2
    fi
    echo "$instructor"
}

if [ "`id -u`" != "0" ]
then echo "You must be root to run this script.  (Try \"sudo $PROG\".)"
    exit 1
fi

drawLine "Class Account Creation Wizard"

echo
cat <<EOF
Created accounts have the form <prefix><number>
(e.g. "rab01", "rab02", ...

Enter class prefix(es) (e.g.: ua ub uc)
EOF
echo -n "A good choice is the first few letters of"
echo -n " the instructor's name: "
read CLASSES
set -- $CLASSES
if [ $# = 0 ]
then    echo "No classes entered, good-bye!"
        exit 1
fi

drawLine "Number of Accounts"

echo "Enter number of accounts to create per class (e.g.: 25)."
echo "(Note that one additional account (numbered \"00\") will be"
echo "created for the instructor to use, as a demo for example.)"
echo
echo -n "How many student accounts should be created? "
read NUM JUNK
if [ -z "$NUM" ]
then    echo "No value entered, good-bye!"
        exit 1
fi
if [ "$JUNK" ]
then    echo "Only enter a single value, good-bye!"
        exit 1
fi

shopt -s extglob  # Allow extended pattern matching in bash
case "$NUM" in
+([0-9])) if [ "$NUM" -eq 0 ]
          then echo "You must create at least one account, good-bye!"
               exit 1
          elif [ "$NUM" -gt 40 ]
          then echo -n "$NUM are a lot of accounts, are you sure? "
               read ANS
               if [ "$ANS" != 'y' ]
               then  echo "Good-bye!"
                     exit 1
               fi
          fi
          ;;
*)        echo "You must enter a positive number, good-bye!"
          exit 1
          ;;
esac

drawLine "Additional Group Setup"

echo "An additional group can be created for each class, named"
echo "for the class prefix.  Each student can be added as a member"
echo "of this group, so students will be members of two groups."
echo
echo -n "Do you wish to create an additional group per class (y/n)? "
read answer
if [ "$answer" = "y" ]
then
    CREATE_ADDITIONAL_GRP="y"
    echo
    echo -n "Do you want to add yourself to this group as well (y/n)? "
    read answer
    if [ "$answer" = "y" ]
    then
	INSTRUCTOR=$(getInst)
	ADD_INST_TO_ADDITIONAL_GRP="y"
    fi
fi

drawLine "Instructor Access"

echo "The system umask of \"027\" allows full access by a file's"
echo "owner, read access by group members, and no access for others."
echo "By adding the instructor as a group member, for each student's"
echo "group (there is one group per account), the instructor is"
echo "given read access to all student files, facilitating grading and"
echo "support."
echo
echo "Configure so the instructor has read access to all"
echo -n "created account home directories (y/n)? "
read answer
if [ "$answer" = "y" ]
then ADD_INST_TO_STUTENT_GRPS="y"
     [ -z "$INSTRUCTOR" ] && INSTRUCTOR=$(getInst)
fi

drawLine "Account Locking"

TODAY=$(date +%D)
echo "For security accounts are created locked (disabled)."
echo -n "Enter the date the accounts should be unlocked (e.g. \"$TODAY\"): "
read UnlockDate JUNK
if [ -z "$UnlockDate" -o -n "$JUNK" ]
then echo "You must enter a date such as \"mm/dd/yy\".  Good-bye!"
     exit 1
fi
CANONIZED_DATE=$(date --date="$UnlockDate" +%D) || exit 2

# Check to make sure the date entered is not in the past:
Today_stamp=`date --date="$TODAY" +%s`
Canon_stamp=`date --date="$CANONIZED_DATE" +%s`
if [ "$Canon_stamp" -lt "$Today_stamp" ]
then
    echo "You must enter today's date, or some date in the future!"
    exit 2
fi

if [ "$TODAY" = "$CANONIZED_DATE" ]
then pwPrefix=""
     echo "Accounts will be created unlocked (enabled)!"
else pwPrefix="!"
     echo "Accounts will be unlocked at midnight on $CANONIZED_DATE."
fi

drawLine "Initial Passwords"

echo "For highest security, accounts can be created with default"
echo "passwords.  If you chose this option the account names and"
echo "their passwords will be emailed to you.  If not, accounts"
echo "will not have passwords (users are be forced to change the"
echo "passwords when they first login, regardless."
echo
echo -n "Create accounts with initial passwords? (y/n)"
read REPLY
case "$REPLY" in
  [yY]*) GenPW=yes
	 echo
         echo -n "Enter email address to send password report to: "
         read INST_EMAIL JUNK
         echo "Passwords will be sent to $INST_EMAIL"
         ;;
  *)     GenPW=no
         echo "No passwords will be generated!"
         ;;
esac

echo
if [ "$NUM" -lt 10 ]
then DISP_NUM="0$NUM"
else DISP_NUM="$NUM"
fi

drawLine "Configuration Summary"

# Show summary information for confirmation:

if [ $# -gt 1 ]
then
    echo -n "Creating $# classes of $((NUM + 1)) accounts each "
    echo "(\"${1}00\" - \"${1}$DISP_NUM\", ...)."
else
    echo -n "Creating 1 class of $((NUM + 1)) accounts "
    echo "(\"${1}00\" - \"${1}$DISP_NUM\")."
fi

if [ "$pwPrefix" = "" ]
then echo "Accounts will be created unlocked."
else echo "Accounts will be unlocked at midnight on $CANONIZED_DATE."
fi

if [ "$GenPW" = "yes" ]
then echo "Password list will be emailed to \"$INST_EMAIL\"."
else echo "Accounts will NOT have initial passwords."
fi

if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
then echo "Creating an additional group per class."
     if [ "$ADD_INST_TO_ADDITIONAL_GRP" = "y" ]
     then echo "    $INSTRUCTOR will be included in this group."
     fi
fi

if [ "$ADD_INST_TO_STUTENT_GRPS" = "y" ]
then echo "$INSTRUCTOR will have read access to all account files."
fi

echo
echo -n "OK to proceed? (y/n)? "
read answer
if [ "$answer" != "y" ]
then
    echo "You ARE the weakest link...good-bye!"
    exit 1
fi

# Create pipe to email message (password list):
[ "$GenPW" = "yes" ] && \
    exec 3> >(/bin/mail -s "New $HOST Account Passwords" "$INST_EMAIL")

for CLASS in $CLASSES
do
    if grep "^$CLASS[0-9]" /etc/passwd >/dev/null 2>&1
    then echo "Class \"$CLASS\" already exists, skipping..."
         logger -p warn -t "add-users" \
             "Skipping account creation for $CLASS, already exists."
         continue
    fi

    logger -t "add-users" "Creating new user accounts with prefix $CLASS."

    if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
    then echo "Creating new group \"$CLASS\"..."
         groupadd "$CLASS"
	 if [ "$ADD_INST_TO_ADDITIONAL_GRP" = "y" ]
	 then
	     gpasswd -a "$INSTRUCTOR" "$CLASS"
	fi
    fi

    for i in $(seq -f "%02.0f" 0 $NUM)
    do
        User="$CLASS$i"
        echo -n "Adding user $User..."
        # Create group account for user:
        groupadd "$User"

        if [ "$ADD_INST_TO_STUTENT_GRPS" = "y" ]
        then
            gpasswd -a "$INSTRUCTOR" "$User"
        fi

        # Set the password: "" = no pw, unlocked, "!" = no pw, locked,
        # "Xy1Abc" = pw and unlocked, and "!Xy1Abc" = pw, locked.
        PASSWORD="$pwPrefix"
        if [ "$GenPW" = "yes" ]
        then
            # pronouncable with at least one digit and capital leter:
            pass=$(pwgen -cn1)
            crypt=$(md5crypt "$pass")
            PASSWORD="$pwPrefix$crypt"
            echo -e "$User\t$pass" >&3  # Append name, password to email.
        fi

        # Create user: -m means create home dir and copy /etc/skel,
        #              -p '!' means create NULL (no) password for Linux
        #                 but initially lock (disable) the account,
        #              -g $User means put the user in his/her own group

        useradd -m -p "$PASSWORD" -g "$User" -K UMASK=027 "$User"

        # This forces the password to be change every 150 days, and
        # sets the date of last change to be 1/1/1970.  Thus a user
        # is forced to set a password the first time they log in, and
        # that password should be valid for one semester (plus a few
        # extra weeks).
        chage -M 150 -d 1 "$User"  #Linux cmd, Solaris uses passwd

        # Set the quotas for the user:
        setquota -u "$User" 6000 12000 2000 3000 /home
        setquota -u "$User" 1000 1500 100 200 /var
        setquota -u "$User" 1000 1500 100 200 /tmp

	# Add user to additional group:
	if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
	then
	    gpasswd -a "$User" "$CLASS" >/dev/null
	fi

        echo "done!"
    done
done

# Close the pipe to mail (which will send the email):
[ "$GenPW" = "yes" ] && exec 3>&-

# Create an "at" job to unlock accounts on the specified date
# if necessary:
if [ "$pwPrefix" = '!' ]
then
at midnight $CANONIZED_DATE >/dev/null 2>&1 <<-EOF
	for c in $CLASSES
	do
	    for i in `seq -s ' ' -f "%02.0f" 0 $NUM`
	    do
	        usermod -U "\$c\$i"
	    done
	done >/dev/null 2>&1
	logger -t "add-users" "Enabling $CLASSES student accounts."
	EOF
fi

Wayne

Thanks for posting your script. I'll pick through it and see what I
can use in my env.

hai 
  
how to create adding multiple users to group without using shell scripting in solaris 



reply to mail ....
  

pashikumar7@gmail.com wrote:
> how to create adding multiple users to group without using shell scripting in solaris 

You can't.

> reply to mail ....

How about no?

-- 
Brandon Hume    - hume -> BOFH.Ca, http://WWW.BOFH.Ca/