diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2005-08-19 00:39:49 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2005-08-19 00:39:49 +0000 |
| commit | 24b6ad269cd88f428bbe7f19497ccf3121622c60 (patch) | |
| tree | 7ee2e55c0eb7bb508e374a4db8eed40d42372544 /mass_passwd | |
| parent | 47c9e2edc894a61ed0c70362f691b94f6bc034a4 (diff) | |
New script mass_passwd.
Diffstat (limited to 'mass_passwd')
| -rwxr-xr-x | mass_passwd | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/mass_passwd b/mass_passwd new file mode 100755 index 0000000..ec80791 --- /dev/null +++ b/mass_passwd @@ -0,0 +1,173 @@ +#!/bin/sh + +# Script origin: http://www.tuxcomputing.com/cookbook/mass_passwd +# Original timestamp: 2004-12-15 23:36 + +## Mass Password Change for Linux +## This requires the Shadow Suite utilities. +## Usage: +## mass_passwd username username ... +## mass_passwd -g groupname groupname ... +## mass_passwd -a +## +## This program is free software; you can redistribute it and/or +## modify it under the terms of the GNU General Public License +## as published by the Free Software Foundation; either version 2 +## of the License, or (at your option) any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## http://www.fsf.org/licenses/gpl.html + +###################################################################### + +## This is where the "username.passwd.txt" files will be dumped +## It will be created if it doesn't already exist +text_file_dir=$HOME/mass_passwds +log_file=mass_passwd.log + +## Minimum userid considered a regular (human) user +min_uid=1000 + +## Length of generated passwords +pass_len=8 + +## Length of time, in days, before a password expires +pass_expire=90 + +###################################################################### +## Few user-serviceable parts inside. +## You may wish to edit the text between the two --------- lines, below. + +# Get the name of this program (probably "mass_passwd") +prog=${0##*/} + +usage () { + echo "usage: $prog [-v] [-n] username ..." + echo " $prog [-v] [-n] [-g] groupname ..." + echo " $prog [-v] [-n] [-a]" + echo " -g change passwords of everyone in a group" + echo " -a change everyone's password" + echo " -v verbose" + echo " -n don't do it, just simulate (implies -v)" + exit 0 +} +short_usage () { + echo >&2 "usage: $prog [-v] [-g] [-a] name..." + echo >&2 " $prog -h for help" + exit 1 +} + +# echo something, but only if in verbose mode +vecho () { + test -n "$verbose" && echo "$@" +} + +# Generate a random password. +# +# If pwgen is available, use that - that's what it's for, and it works well. +# +# If not, read /dev/urandom and filter out all non-alphanumeric characters +# until we have enough for a password. The numbers in the "tr -d" are ASCII +# values, in octal notation, of ranges of character values to delete. +# +# Using /dev/urandom like this is very inefficient, but who cares? +randompass () { + pwgen $pass_len 1 2>&- || + tr -d '[\000-\057][\072-\100][\133-\140][\173-\377]' < /dev/urandom | + dd bs=$pass_len count=1 2>&- +} + + +# Interpret usernames / groupnames / "-a" mode, and return a list of usernames +get_users () { + if [ -n "$all_mode" ]; then + getent passwd | awk -F: '{if ($3 >= '$min_uid') {print $1}}' + return + fi + if [ -z "$group_mode" ]; then + echo "$@" + return + fi + + # ok, we're in group mode, must look up the users who belong to a group + while [ -n "$1" ]; do + g_ent=$(getent group "$1" 2>&-) + if [ -z "$g_ent" ]; then + echo >&2 "warning: $1: group not found" + continue + fi + members=${g_ent##*:} + gid=${g_ent%:*} + gid=${gid##*:} + echo "$members" | tr ',' ' ' + getent passwd | awk -F: '{if ($4 == '$gid') { print $1 } }' + shift + done +} + +###################################################################### +## main body + +group_mode=; verbose=; all_mode=; simulate=; eol=; +while [ -z "$eol" ]; do + case "$1" in + -g) group_mode=1; shift ;; + -v) verbose=1; shift ;; + -a) all_mode=1; shift ;; + -n) simulate=true; verbose=1; shift ;; + -M) mass_out=1; shift ;; # we're called from mass_useradd + -h | -? | --help) usage ;; + --) eol=1; shift ;; + -*) short_usage ;; + *) eol=1 ;; + esac +done + +# Set up a secure environment and the directory for printable text files +PATH=/usr/sbin:/usr/bin:$PATH +umask 077 +mkdir -p $text_file_dir +cd $text_file_dir + +processed=0 +for u in $(get_users "$@"); do + vecho -n "generating password for $u..." + pass=$(randompass) + echo "$u:$pass" | eval $simulate chpasswd + vecho -n "." + eval $simulate chage -M $pass_expire -d 2003-01-01 $u + vecho -n "." + + rm -f $u.passwd.txt + echo > $u.passwd.txt "\ +---------------------------------------------------------------------- + Login name: $u + Password: $pass + Please log in and change your password; the system should + prompt you to do this when you log in. You can change your + password at any time with the 'passwd' command. + Choose a strong password - everyday words, birthdays, + names of people or animals, all these are too easy to guess. + Also, DO NOT give your password to anyone, ever. The IT + staff will never ask you for your password, and neither + should anyone else. You will be held responsible for all + activity done via your account. +----------------------------------------------------------------------" + printf >> $log_file "$(date) %-12s %s\\n" $u $pass + vecho "$pass" + if [ -n "$mass_out" ]; then + uid=$(getent passwd $u | cut -f3 -d:) + echo -e "$u\\t$pass\\t$uid" + fi + processed=$(expr $processed + 1) +done + +if [ $processed -gt 0 ]; then + test -z "$mass_out" && + echo >&2 "$processed password(s) reset - see $text_file_dir/$log_file" +else + echo >&2 "no users specified - see '$prog -h' for help" +fi |