Create Multiple Users on Solaris 10

neilsolent

unread,

Feb 17, 2009, 10:24:13 AM2/17/09

to

I have been asked to create a large list of users on a large number of
Solaris 10 servers. They are normal local users, no NIS or LDAP or
anything like that.

I can create a script to run useradd - but is there a way to set the
password for each user (just defaulting to the username would be fine
as an initial password) without having to run passwd interactively?

Claus Dragon

unread,

Feb 17, 2009, 12:26:00 PM2/17/09

to

You could always create the users and then add a line to /etc/shadow
for each user. You would have to encode the password, IIRC.

Message has been deleted

Mike Marshall

unread,

Feb 17, 2009, 3:23:20 PM2/17/09

to

Solaris doesn't have an interactive password setter that'll take
the password from the command line (that I know of).

It is easy to write a small PAM ap that you could put in your script...

a.out userid password

In general, putting clear text passwords on the command line is bad,
so I guess the solaris folks don't want to give you such a gun for
fear you'll shoot off your foot...

-Mike

Doug McIntyre

unread,

Feb 17, 2009, 4:10:26 PM2/17/09

to

autopasswd out of the expect package.

Its located in /usr/demo/expect/autopasswd on an OpenSolaris box.

Or write your own /etc/passwd file manipulation in
perl/yourfavorite/scripting lang and do what you need to.

neilsolent

unread,

Feb 18, 2009, 3:37:23 AM2/18/09

to

Thanks for the feedback everyone.
I've gone for this in the end:

passwd -df <username>

- so no password, and prompt for password on first logon. This can be
run non-interactively and is no less secure really than setting
password=username !

Not ideal, but hey!
If I start setting random passwords for everyone, then Ive got the
issue of securely communicating them with the end users.

Wayne

unread,

Feb 19, 2009, 2:13:02 AM2/19/09

to

You need to install extra tools. One is expect, which can
automate the passwd program as others have mentioned.

You can also install apg or pwgen to generate reasonably strong
passwords (apg meets NIST standards). These can be encrypted
using openssl or some similar package---I'm not sure but I
think Solaris has a native/trusted utility that can do this.

Finally you need a way to put the password into the shadow
file. As root you can script sed or ed to add the password
to shadow. Note there is an advisory lock file you can
use when editing that file, but I suggest you make a copy,
set the lock, edit only your copy, then when done replace
/etc/shadow with the copy (and release the lock).

The generated usernames and passwords can be sent as email
(which can use gpg to encrypt) or printed and hand delivered,
or sent as paper mail (p-mail?) to the recipients. Even
unprotected email may be safe enough if the email never leaves
your internal mail server.

I have a script I use for Linux (which makes it easier/safer
to set the password using the Linux useradd -p option). I use
this script to create student accounts for many classes at
once. If you promise no snide remarks on my scripting ability
(or lack thereof) I would be happy to post it here. Perhaps
it can serve as a starting point for you.

For an easier and more secure system, why not use ssh key
access instead? That should be easier to automate.

-Wayne

neilsolent

unread,

Feb 19, 2009, 4:25:55 AM2/19/09

to

> I have a script I use for Linux (which makes it easier/safer
> to set the password using the Linux useradd -p option). I use
> this script to create student accounts for many classes at
> once. If you promise no snide remarks on my scripting ability
> (or lack thereof) I would be happy to post it here. Perhaps
> it can serve as a starting point for you.

Thanks for your post. I was really just after a quick fix - management
need a task done NOW, so I went with "passwd -df <userid>"
Yes please post the script for future reference. I would never make
snide remarks when people are helping for free.

> For an easier and more secure system, why not use ssh key
> access instead? That should be easier to automate.

Yes, good idea. However no time to get and set those up across the
estate at the moment. Maybe next time :-(

Wayne

unread,

Feb 20, 2009, 1:45:39 PM2/20/09

to

Here is my "add-users" Linux/bash script, for whatever it is worth.
(Constructive comments and improvement suggestions always welcome.)

-Wayne

#!/bin/bash -
# Script to add many student accounts at once. This is the
# Fedora version. Run as root only.
# See also the "disable-user" script to disable accounts before
# permanently removing them with 'remove-user'.
# TODO: currently invalid inputs abort program. This should be
# changed to a loop to try 'n' times (say 3) before aborting.
#
# $Id: add-users,v 1.6 2009/02/20 18:31:53 wayne Exp $
#
# Originally written 2002 by Wayne _____________.

PATH=/bin:/sbin:/usr/bin:/usr/sbin

PROG=${0##*/}
HOST=$(uname -n)
INSTRUCTOR=""
CREATE_ADDITIONAL_GRP="n"
ADD_INST_TO_ADDITIONAL_GRP="n"
ADD_INST_TO_STUTENT_GRPS="n"

md5crypt()
{
echo "$1" |openssl passwd -1 -stdin
}

# A fancy separator line with optional centered title,
# of 68 characters ("-") wide.

drawLine()
{
local num line title
title="$1"
let "num = ( 68 - ${#title} ) / 2"
line=$(perl -e "print \"-\" x $num;")
echo
echo -n "$line"
[ "$1" ] && echo -n " $1 "
echo "$line"
echo
}

getInst()
{
local CURR_USER instructor

if [ -x /usr/bin/logname ]
then CURR_USER=`logname`
else CURR_USER=`id -run`
fi
echo "What is your account name (default: $CURR_USER)? " >/dev/tty
read instructor
if [ "$instructor" = "" ]
then instructor=$CURR_USER
fi
if ! grep -e "^$instructor:" /etc/passwd >/dev/null 2>&1
then
echo "No user account \"$instructor\" found!" >&2
echo "Exiting..." >&2
exit 2
fi
echo "$instructor"
}

if [ "`id -u`" != "0" ]
then echo "You must be root to run this script. (Try \"sudo $PROG\".)"
exit 1
fi

drawLine "Class Account Creation Wizard"

echo
cat <<EOF
Created accounts have the form <prefix><number>
(e.g. "rab01", "rab02", ...

Enter class prefix(es) (e.g.: ua ub uc)
EOF
echo -n "A good choice is the first few letters of"
echo -n " the instructor's name: "
read CLASSES
set -- $CLASSES
if [ $# = 0 ]
then echo "No classes entered, good-bye!"
exit 1
fi

drawLine "Number of Accounts"

echo "Enter number of accounts to create per class (e.g.: 25)."
echo "(Note that one additional account (numbered \"00\") will be"
echo "created for the instructor to use, as a demo for example.)"
echo
echo -n "How many student accounts should be created? "
read NUM JUNK
if [ -z "$NUM" ]
then echo "No value entered, good-bye!"
exit 1
fi
if [ "$JUNK" ]
then echo "Only enter a single value, good-bye!"
exit 1
fi

shopt -s extglob # Allow extended pattern matching in bash
case "$NUM" in
+([0-9])) if [ "$NUM" -eq 0 ]
then echo "You must create at least one account, good-bye!"
exit 1
elif [ "$NUM" -gt 40 ]
then echo -n "$NUM are a lot of accounts, are you sure? "
read ANS
if [ "$ANS" != 'y' ]
then echo "Good-bye!"
exit 1
fi
fi
;;
*) echo "You must enter a positive number, good-bye!"
exit 1
;;
esac

drawLine "Additional Group Setup"

echo "An additional group can be created for each class, named"
echo "for the class prefix. Each student can be added as a member"
echo "of this group, so students will be members of two groups."
echo
echo -n "Do you wish to create an additional group per class (y/n)? "
read answer
if [ "$answer" = "y" ]
then
CREATE_ADDITIONAL_GRP="y"
echo
echo -n "Do you want to add yourself to this group as well (y/n)? "
read answer
if [ "$answer" = "y" ]
then
INSTRUCTOR=$(getInst)
ADD_INST_TO_ADDITIONAL_GRP="y"
fi
fi

drawLine "Instructor Access"

echo "The system umask of \"027\" allows full access by a file's"
echo "owner, read access by group members, and no access for others."
echo "By adding the instructor as a group member, for each student's"
echo "group (there is one group per account), the instructor is"
echo "given read access to all student files, facilitating grading and"
echo "support."
echo
echo "Configure so the instructor has read access to all"
echo -n "created account home directories (y/n)? "
read answer
if [ "$answer" = "y" ]
then ADD_INST_TO_STUTENT_GRPS="y"
[ -z "$INSTRUCTOR" ] && INSTRUCTOR=$(getInst)
fi

drawLine "Account Locking"

TODAY=$(date +%D)
echo "For security accounts are created locked (disabled)."
echo -n "Enter the date the accounts should be unlocked (e.g. \"$TODAY\"): "
read UnlockDate JUNK
if [ -z "$UnlockDate" -o -n "$JUNK" ]
then echo "You must enter a date such as \"mm/dd/yy\". Good-bye!"
exit 1
fi
CANONIZED_DATE=$(date --date="$UnlockDate" +%D) || exit 2

# Check to make sure the date entered is not in the past:
Today_stamp=`date --date="$TODAY" +%s`
Canon_stamp=`date --date="$CANONIZED_DATE" +%s`
if [ "$Canon_stamp" -lt "$Today_stamp" ]
then
echo "You must enter today's date, or some date in the future!"
exit 2
fi

if [ "$TODAY" = "$CANONIZED_DATE" ]
then pwPrefix=""
echo "Accounts will be created unlocked (enabled)!"
else pwPrefix="!"
echo "Accounts will be unlocked at midnight on $CANONIZED_DATE."
fi

drawLine "Initial Passwords"

echo "For highest security, accounts can be created with default"
echo "passwords. If you chose this option the account names and"
echo "their passwords will be emailed to you. If not, accounts"
echo "will not have passwords (users are be forced to change the"
echo "passwords when they first login, regardless."
echo
echo -n "Create accounts with initial passwords? (y/n)"
read REPLY
case "$REPLY" in
[yY]*) GenPW=yes
echo
echo -n "Enter email address to send password report to: "
read INST_EMAIL JUNK
echo "Passwords will be sent to $INST_EMAIL"
;;
*) GenPW=no
echo "No passwords will be generated!"
;;
esac

echo
if [ "$NUM" -lt 10 ]
then DISP_NUM="0$NUM"
else DISP_NUM="$NUM"
fi

drawLine "Configuration Summary"

# Show summary information for confirmation:

if [ $# -gt 1 ]
then
echo -n "Creating $# classes of $((NUM + 1)) accounts each "
echo "(\"${1}00\" - \"${1}$DISP_NUM\", ...)."
else
echo -n "Creating 1 class of $((NUM + 1)) accounts "
echo "(\"${1}00\" - \"${1}$DISP_NUM\")."
fi

if [ "$pwPrefix" = "" ]
then echo "Accounts will be created unlocked."
else echo "Accounts will be unlocked at midnight on $CANONIZED_DATE."
fi

if [ "$GenPW" = "yes" ]
then echo "Password list will be emailed to \"$INST_EMAIL\"."
else echo "Accounts will NOT have initial passwords."
fi

if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
then echo "Creating an additional group per class."
if [ "$ADD_INST_TO_ADDITIONAL_GRP" = "y" ]
then echo " $INSTRUCTOR will be included in this group."
fi
fi

if [ "$ADD_INST_TO_STUTENT_GRPS" = "y" ]
then echo "$INSTRUCTOR will have read access to all account files."
fi

echo
echo -n "OK to proceed? (y/n)? "
read answer
if [ "$answer" != "y" ]
then
echo "You ARE the weakest link...good-bye!"
exit 1
fi

# Create pipe to email message (password list):
[ "$GenPW" = "yes" ] && \
exec 3> >(/bin/mail -s "New $HOST Account Passwords" "$INST_EMAIL")

for CLASS in $CLASSES
do
if grep "^$CLASS[0-9]" /etc/passwd >/dev/null 2>&1
then echo "Class \"$CLASS\" already exists, skipping..."
logger -p warn -t "add-users" \
"Skipping account creation for $CLASS, already exists."
continue
fi

logger -t "add-users" "Creating new user accounts with prefix $CLASS."

if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
then echo "Creating new group \"$CLASS\"..."
groupadd "$CLASS"
if [ "$ADD_INST_TO_ADDITIONAL_GRP" = "y" ]
then
gpasswd -a "$INSTRUCTOR" "$CLASS"
fi
fi

for i in $(seq -f "%02.0f" 0 $NUM)
do
User="$CLASS$i"
echo -n "Adding user $User..."
# Create group account for user:
groupadd "$User"

if [ "$ADD_INST_TO_STUTENT_GRPS" = "y" ]
then
gpasswd -a "$INSTRUCTOR" "$User"
fi

# Set the password: "" = no pw, unlocked, "!" = no pw, locked,
# "Xy1Abc" = pw and unlocked, and "!Xy1Abc" = pw, locked.
PASSWORD="$pwPrefix"
if [ "$GenPW" = "yes" ]
then
# pronouncable with at least one digit and capital leter:
pass=$(pwgen -cn1)
crypt=$(md5crypt "$pass")
PASSWORD="$pwPrefix$crypt"
echo -e "$User\t$pass" >&3 # Append name, password to email.
fi

# Create user: -m means create home dir and copy /etc/skel,
# -p '!' means create NULL (no) password for Linux
# but initially lock (disable) the account,
# -g $User means put the user in his/her own group

useradd -m -p "$PASSWORD" -g "$User" -K UMASK=027 "$User"

# This forces the password to be change every 150 days, and
# sets the date of last change to be 1/1/1970. Thus a user
# is forced to set a password the first time they log in, and
# that password should be valid for one semester (plus a few
# extra weeks).
chage -M 150 -d 1 "$User" #Linux cmd, Solaris uses passwd

# Set the quotas for the user:
setquota -u "$User" 6000 12000 2000 3000 /home
setquota -u "$User" 1000 1500 100 200 /var
setquota -u "$User" 1000 1500 100 200 /tmp

# Add user to additional group:
if [ "$CREATE_ADDITIONAL_GRP" = "y" ]
then
gpasswd -a "$User" "$CLASS" >/dev/null
fi

echo "done!"
done
done

# Close the pipe to mail (which will send the email):
[ "$GenPW" = "yes" ] && exec 3>&-

# Create an "at" job to unlock accounts on the specified date
# if necessary:
if [ "$pwPrefix" = '!' ]
then
at midnight $CANONIZED_DATE >/dev/null 2>&1 <<-EOF
for c in $CLASSES
do
for i in `seq -s ' ' -f "%02.0f" 0 $NUM`
do
usermod -U "\$c\$i"
done
done >/dev/null 2>&1
logger -t "add-users" "Enabling $CLASSES student accounts."
EOF
fi

n...@solenttechnology.co.uk

unread,

Feb 23, 2009, 5:05:33 AM2/23/09

to

Wayne

Thanks for posting your script. I'll pick through it and see what I
can use in my env.

pashi...@gmail.com

unread,

Mar 1, 2013, 7:49:38 AM3/1/13

to

hai

how to create adding multiple users to group without using shell scripting in solaris

reply to mail ....

hume.sp...@bofh.ca

unread,

Mar 1, 2013, 11:53:44 AM3/1/13

to

pashi...@gmail.com wrote:
> how to create adding multiple users to group without using shell scripting in solaris

You can't.

> reply to mail ....

How about no?

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

mohan...@gmail.com

unread,

Sep 26, 2013, 7:41:04 AM9/26/13

to

how to create multi user in same time ?

i want commands only not for script

unread,

Sep 29, 2013, 4:57:38 AM9/29/13

to

On 28/09/2013 13:39, hume.sp...@bofh.ca wrote:
> tridac <desi...@ceeq.org> wrote:
>> passwd ?. Not difficult to write a short script that uses passwd and a
>
> Unfortunately, if you'd read the user's other post you'd have seen that he
> said he wants "commands only not for script".
>

I got the inpression he wanted the computer to read his mind and take
action for him with no KB interaction.....