This very useful script will create a bunch of user accounts from an array of usernames. This will also generate a random password for each user account.
This script generates passwords by asking openssl to create a base64 string from 12 bytes of random data.
The –stdin option is used to pipe the new randomly-generated password into passwd.
Finally, we use chage -d 0 to force users to change their passwords at the next logon for security reasons.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | #!/bin/bash # Array of usernames usernames=("user1" "user2" "user3") for username in "${usernames[@]}"; do # Generate a random password using openssl password=$(openssl rand -base64 12) # Create the user with the generated password sudo useradd -m "$username" echo -e "$password\n$password" | sudo passwd --stdin "$username" # Force password change on first login. sudo chage -d 0 "$username" echo "User $username has been created with temporary password: $password." done |
Create this script in the /root folder and make it executable.
[root@localhost ~]# chmod +x user_accounts.sh |
Then run the script as root to create a bunch of new user accounts on your Linux system.
[root@localhost ~]# ./user_accounts.sh Changing password for user user1. passwd: all authentication tokens updated successfully. User user1 has been created with temporary password: LDnJX3pXzpMu5J+y. Changing password for user user2. passwd: all authentication tokens updated successfully. User user2 has been created with temporary password: quVT6C84UnIAqEGh. Changing password for user user3. passwd: all authentication tokens updated successfully. User user3 has been created with temporary password: kbolH1Q7e9dgKdlX. |
When each user logs in for the first time they will be prompted to create a new password for their account.
Edit the /etc/security/pwquality.conf file on a Red Hat-based system to enforce higher-quality passwords. Below is an example from Alma Linux.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | # Configuration for systemwide password quality limits # Defaults: # # Number of characters in the new password that must not be present in the # old password. difok = 1 # # Minimum acceptable size for the new password (plus one if # credits are not disabled which is the default). (See pam_cracklib manual.) # Cannot be set to lower value than 6. minlen = 10 # # The maximum credit for having digits in the new password. If less than 0 # it is the minimum number of digits in the new password. dcredit = -1 # # The maximum credit for having uppercase characters in the new password. # If less than 0 it is the minimum number of uppercase characters in the new # password. ucredit = 1 # # The maximum credit for having lowercase characters in the new password. # If less than 0 it is the minimum number of lowercase characters in the new # password. lcredit = 1 # # The maximum credit for having other characters in the new password. # If less than 0 it is the minimum number of other characters in the new # password. ocredit = 1 # # The minimum number of required classes of characters for the new # password (digits, uppercase, lowercase, others). # minclass = 0 # # The maximum number of allowed consecutive same characters in the new password. # The check is disabled if the value is 0. # maxrepeat = 0 # # The maximum number of allowed consecutive characters of the same class in the # new password. # The check is disabled if the value is 0. # maxclassrepeat = 0 # # Whether to check for the words from the passwd entry GECOS string of the user. # The check is enabled if the value is not 0. # gecoscheck = 0 # # Whether to check for the words from the cracklib dictionary. # The check is enabled if the value is not 0. # dictcheck = 1 # # Whether to check if it contains the user name in some form. # The check is enabled if the value is not 0. # usercheck = 1 # # Length of substrings from the username to check for in the password # The check is enabled if the value is greater than 0 and usercheck is enabled. # usersubstr = 0 # # Whether the check is enforced by the PAM module and possibly other # applications. # The new password is rejected if it fails the check and the value is not 0. enforcing = 1 # # Path to the cracklib dictionaries. Default is to use the cracklib default. # dictpath = # # Prompt user at most N times before returning with error. The default is 1. # retry = 3 # # Enforces pwquality checks on the root user password. # Enabled if the option is present. # enforce_for_root # # Skip testing the password quality for users that are not present in the # /etc/passwd file. # Enabled if the option is present. # local_users_only #dcredit = -1 #lcredit = -1 #minlen = 18 #ocredit = -1 #ucredit = -1 |
With these settings password length and complexity are enforced.
╭──(jcartwrightlocalhost)────╮ ╰───────────────────────────╾╯(~)-(192.168.1.5)┋ su user3 Password: You are required to change your password immediately (administrator enforced). Current password: New password: BAD PASSWORD: The password is shorter than 9 characters su: Authentication token manipulation error |
So a password greater than 9 characters and with suitable complexity is required.
╭──(jcartwrightlocalhost)────╮ ╰───────────────────────────╾╯(~)-(192.168.1.5)┋ su user3 Password: You are required to change your password immediately (administrator enforced). Current password: New password: Retype new password: [user3@localhost jcartwright]$ |
This is an easy way to enforce password complexity and length on a Red Hat Linux system.