#!/bin/sh

# Script origin: http://www.tuxcomputing.com/cookbook/mass_passwd
# Original timestamp: 2004-12-15 23:36

## Mass Password Change for Linux
## This requires the Shadow Suite utilities.
## Usage:
##   mass_passwd username username ...
##   mass_passwd -g groupname groupname ...
##   mass_passwd -a
##
## This program is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License
## as published by the Free Software Foundation; either version 2
## of the License, or (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
## http://www.fsf.org/licenses/gpl.html

######################################################################

## This is where the "username.passwd.txt" files will be dumped
## It will be created if it doesn't already exist
text_file_dir=$HOME/mass_passwds
log_file=mass_passwd.log

## Minimum userid considered a regular (human) user
min_uid=1000

## Length of generated passwords
pass_len=8

## Length of time, in days, before a password expires
pass_expire=90

######################################################################
## Few user-serviceable parts inside.
## You may wish to edit the text between the two --------- lines, below.

# Get the name of this program (probably "mass_passwd")
prog=${0##*/}

usage () {
        echo "usage: $prog [-v] [-n] username ..."
        echo "       $prog [-v] [-n] [-g] groupname ..."
        echo "       $prog [-v] [-n] [-a]"
        echo "  -g   change passwords of everyone in a group"
        echo "  -a   change everyone's password"
        echo "  -v   verbose"
        echo "  -n   don't do it, just simulate (implies -v)"
        exit 0
}
short_usage () {
        echo >&2 "usage: $prog [-v] [-g] [-a] name..."
        echo >&2 "       $prog -h    for help"
        exit 1
}

# echo something, but only if in verbose mode
vecho () {
        test -n "$verbose" && echo "$@"
}

# Generate a random password.
#
# If pwgen is available, use that - that's what it's for, and it works well.
#
# If not, read /dev/urandom and filter out all non-alphanumeric characters
# until we have enough for a password.  The numbers in the "tr -d" are ASCII
# values, in octal notation, of ranges of character values to delete.
#
# Using /dev/urandom like this is very inefficient, but who cares?
randompass () {
        pwgen $pass_len 1 2>&- ||
        tr -d '[\000-\057][\072-\100][\133-\140][\173-\377]' < /dev/urandom |
          dd bs=$pass_len count=1 2>&-
}


# Interpret usernames / groupnames / "-a" mode, and return a list of usernames
get_users () {
        if [ -n "$all_mode" ]; then
                getent passwd | awk -F: '{if ($3 >= '$min_uid') {print $1}}'
                return
        fi
        if [ -z "$group_mode" ]; then
                echo "$@"
                return
        fi

        # ok, we're in group mode, must look up the users who belong to a group
        while [ -n "$1" ]; do
                g_ent=$(getent group "$1" 2>&-)
                if [ -z "$g_ent" ]; then
                        echo >&2 "warning: $1: group not found"
                        continue
                fi
                members=${g_ent##*:}
                gid=${g_ent%:*}
                gid=${gid##*:}
                echo "$members" | tr ',' ' '
                getent passwd | awk -F: '{if ($4 == '$gid') { print $1 } }'
                shift
        done
}

######################################################################
## main body

group_mode=; verbose=; all_mode=; simulate=; eol=;
while [ -z "$eol" ]; do
        case "$1" in
                -g) group_mode=1; shift ;;
                -v) verbose=1; shift ;;
                -a) all_mode=1; shift ;;
                -n) simulate=true; verbose=1; shift ;;
                -M) mass_out=1; shift ;;   # we're called from mass_useradd
                -h | -? | --help) usage ;;
                --) eol=1; shift ;;
                -*) short_usage ;;
                *) eol=1 ;;
        esac
done

# Set up a secure environment and the directory for printable text files
PATH=/usr/sbin:/usr/bin:$PATH
umask 077
mkdir -p $text_file_dir
cd $text_file_dir

processed=0
for u in $(get_users "$@"); do
        vecho -n "generating password for $u..."
        pass=$(randompass)
        echo "$u:$pass" | eval $simulate chpasswd
        vecho -n "."
        eval $simulate chage -M $pass_expire -d 2003-01-01 $u
        vecho -n "."

        rm -f $u.passwd.txt
        echo > $u.passwd.txt "\
----------------------------------------------------------------------
                     Login name: $u
                     Password:   $pass
          Please log in and change your password; the system should
     prompt you to do this when you log in.  You can change your
     password at any time with the 'passwd' command.
          Choose a strong password - everyday words, birthdays,
     names of people or animals, all these are too easy to guess.
     Also, DO NOT give your password to anyone, ever.  The IT
     staff will never ask you for your password, and neither
     should anyone else.  You will be held responsible for all
     activity done via your account.
----------------------------------------------------------------------"
        printf >> $log_file "$(date)   %-12s %s\\n" $u $pass
        vecho "$pass"
        if [ -n "$mass_out" ]; then
                uid=$(getent passwd $u | cut -f3 -d:)
                /bin/echo -e "$u\\t$pass\\t$uid"
        fi
        processed=$(expr $processed + 1)
done

if [ $processed -gt 0 ]; then
        test -z "$mass_out" &&
        echo >&2 "$processed password(s) reset - see $text_file_dir/$log_file"
else
        echo >&2 "no users specified - see '$prog -h' for help"
fi