Open in app

Sign in

Write

Sign in

Secure Scripting: A Step-by-Step Guide to Password Automation in Linux with Bash

George Baidoo Jr.
6 min readApr 4, 2024

--

In this project I’m going to show you how to use bash scripting to automatically generate password for new user accounts on a Linux system.

This project is a follow-up to the previous bash scripting project that I did, where I showed how to create user accounts on a linux system.

Previous project: https://medium.com/@GeorgeBaidooJr/creating-users-accounts-via-bash-scripting-for-a-linux-system-b8e47edc7bfe.

Image was made using Generative AI tool “DALLE3”

What you will need:

  • Linux terminal
  • Desire to learn something new

Step 1: Create text file for script

  • In your command line interface create a new text file that will contain the script that we will be building and working on.
  • Name the script “add-new-local-user.sh”.
touch add-new-local-user.sh

Step 2: Change permissions to allow executable privileges

  • By default security measures linux does not allow files to be executable without the proper set permissions. Permissions to a file can be modified using the “chmod” command follow by the proper number notations.

Ex: chmod 755 or chmod 777

  • For the script we will be working on, we will be using the “755” number notation.
chmod 755 add-new-local-user.sh

Step 3: Building the script

  • To denote the text file as a script the first thing you have to do is to start the first line with a shebang. The shebang lets the interpreter know how to execute the file.
  • The first scripting task will to have the script be executed with superuser privileges.
  • The script portion that you see below tells the user at the command line to execute the script as sudo or root user. Without the superuser privilege the script will NOT properly execute.

User info section

The goal is to have a user(help desk personnel) enter a username and the script would automatically generate a random password for a user. Each user will get their own unique password, eliminating the need to have to manually create a password for each new user on a linux system.

  • USER_NAME="$1": This line stores the first argument passed to the script in a variable called USER_NAME. When running the script, you provide the new user's name as this first argument. shift: This command shifts the script's argument list so that the second argument becomes the first, the third becomes the second, and so on. It's used here because the remaining arguments after the first are meant to be part of the account comments.
  • COMMENT="$@": After the shift, $@ represents all the remaining command line arguments, which are assigned to the variable COMMENT. These are used as the comment for the user account.
  • PASSWORD=$(date +%s%N | sha256sum | head -c48): This line generates a password by taking the current date and time in nanoseconds, passing it through the sha256sum command to create a hash, and then using head -c48 to get the first 48 characters of that hash.
  • useradd -c "${COMMENT}" -m ${USER_NAME}: The useradd command is used to create a new user with the comment specified by the COMMENT variable and the username specified by the USER_NAME variable. The -m option creates the user's home directory.
  • if [[ "${?}" -ne 0 ]]: This checks the exit status of the last command (useradd in this case). $? is a special variable that holds the exit status of the last executed command. -ne 0 checks if this status is not equal to 0, which indicates an error occurred.
  • echo 'The account could not be created.': If the user creation command failed (i.e., if condition is true), this line outputs a message stating that the account couldn't be created.
  • exit 1: This exits the script and returns a status of 1, which is a general convention to indicate that an error occurred.

Password section:

  • echo ${PASSWORD} | passwd — stdin ${USER_NAME} sets the password for the new user that was inputted. After the password has been assigned to the user, it will then be printed onto the command line for visibility. The password will be piped to the “passwd” command, which will change the password based upon the username.
  • The next if statement checks if the passwd command was successful by looking at its exit status ($?). If the status is not equal to 0 (which means an error occurred), it prints "The password for the account could not be set." and exits the script with a status code of 1, indicating an error.
  • passwd -e ${USER_NAME}: This command forces the new user to change their password the next time they log in for security purposes.
  • The echo commands display the username, the generated password, and the host (computer name) where the user was created. This information is printed to the terminal so that the person running the script can note down the details of the new account.
  • exit 0: The script exits with a status code of 0, which is a convention to indicate success.

Script as a whole:

  • Here is the entire script put together.

Step 4: Let’s test things out

We will test out our script to see how things work!

  • Enter a username to see if a password will be generated.
  • Be sure to copy one of the passwords and paste into a clipboard. We will be changing it to a new unique one.
sudo ./add-new-local.user.sh exampleuser COMMENT
Ex: sudo ./add-new-local.user.sh gbaidoo George Baidoo
Success

User #2

Success

User #3

Success

If you get results like the ones in the images then that means the script is working properly! Great job!

Try executing the script without “sudo or root” privileges

  • Remember we set the script to only allow a user with “sudo or root” privileges be able to execute the script. When you attempt to execute the file without the proper permissions, you will be denied access and prompted to execute the script with sudo.

Changing the randomly generated password to a unique one

  • Let’s change the password of one of your users by running the “su” command followed by the username.
  • Paste the generated password into the current password section and hit enter.
  • Enter your new password twice to confirm the change.
su - example
Ex: su - gbaidoo

Congratulations if you made it this far that means that you have successfully completed this project! You learned how to write a script that automatically generated passwords for new users on a linux system showcasing efficiency and security in linux system administration!

Follow me on:

My LinkedIn: https://www.linkedin.com/in/georgebaidoojr/

My Twitter: https://twitter.com/GeorgeBaidooJr

My GitHub: https://github.com/GeorgeBaidooJr9

Linux
Bash Script
Sysadmin
Automation
Security

--

--

George Baidoo Jr.

Written by George Baidoo Jr.

593 Followers

Transitioning IT Professional | AI & ML Enthusiast| | AWS Community Builder | 👉🏿 https://www.linkedin.com/in/georgebaidoojr/ |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams