Unable to create a user with password via ssh [closed]
I tried to create a user with password via ssh (with root permission) like this:
ssh [email protected] useradd -p $(openssl passwd -1 1234) newuser
By doing so, I could successfully create an account named newuser
, but I couldn't login with the expected password (which is 1234
)
It makes no difference if I add double quotes:
ssh [email protected] "useradd -p $(openssl passwd -1 1234) newuser"
And then I was wondering if I can generate hashed password and save it as a variable locally, but still with no luck.
password=$(openssl passwd -1 1234)
ssh [email protected] "useradd -p $password newuser"
Is there something that I miss? Thanks in advance!
This is a classic quoting issue.
Problem: Without any quoting or double quoting the command substitution ($()
) and variable expansion (the $
s in the hashed password returned by openssl
are being treated as variable indicator) are being done in the local environment, not on the remote shell.
Solution: use single quotes around the useradd
command used with ssh
on the local shell to prevent the command substitution and variable expansion on local environment, let the expansions take place on the remote non-login, non-interactive shell:
ssh [email protected] 'useradd -p "$(openssl passwd -1 1234)" newuser'
Note the quotings.
Security issues:
SSH
root
login should be disabled, if you must have it enabled only key-based authentication should be allowedMD5 is already broken, and without a salt you are subjected to simple Rainbow table attack (does not even need brute forcing/dictionary attack);
openssl passwd
does generate a random salt though. Anyway, you should really consider using SHA-2 with salt-ingPasswords passed as arguments to commands might be visible to other processes in the (remote) system; this depends on how your
procfs
is mounted (look athidepid
), and if the command is rewriting itself (it this case presumably it does not)
As @heemayl noted, the MD5 password hash algorithm is aged, and current systems the newer SHA-2 based password hashes, that have a customisable work factor. But the OpenSSL command line tool doesn't seem to support those.
The chpasswd
utility, however, will allow you to change the password of a user according to the system settings.
This should allow you to create the new user and change their password on the remote end.
echo "newuser:newpass" | ssh [email protected] 'useradd newuser; chpasswd'
chpasswd
takes the username and password from stdin, not the command line. This is actually an advantage since command line arguments are visible for all other processes on the system, so if run openssl passwd
on the remote, the password would be momentarily visible to all processes on the system.
I'm not sure if there is a ready-made command line utility for generating password hashes known by the system crypt(3)
function. Perl has the crypt
function builtin, but a proper salt would still need to be generated.