Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.

root@earth> echo password | passwd newuser --stdin

This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd

A Better Way to Setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a Linux based user account. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. Not to mention if you set up a SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have sshd service running on your servers in order to get your SSH to work. All the examples are take from a Red Hat or Suse servers. The ssh-copy-id command will not work on Solaris servers but all other commands should work file.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.


The old way of transferring the public key to the remote sytem.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

New way

man@earth> ssh-copy-id user@moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The reason the new way is better then the old way is that the ssh-copy-id appends the public key to the authorized_keys file. Where as the old way overwrites the authorized_keys file. This allows the account to use keys from more than one server.

Note- This method will not work on Solaris 10

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You can also use this method if the ssh-copy-id command is not available to you.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys"

Setting up the SSH Agent.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you login to a server. 

There are other ways to set up the agent, such as using the gnome GUI for example. If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminals launched in your VNC session, will use the same agent.

SSH Agent Management
One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Related posts on this site.
How to setup SSH Keys
http://rich-notes.blogspot.com/2013/09/how-to-setup-ssh-keys.html

If you have any questions or comments please post below.

Unlock locked accounts

These are my notes no unlocking user accounts, below I go over a few ways to get a user account back up and running. Such as changing the expiration date on an expired account and resetting the PAM Tally for a user.

In keeping with the space theme, I will be using earth as the server's hostname and man as the name of the user account.

This the most common way to unlock your account.

root@earth> passwd -u man

Change the expiration date of the user account

root@earth> usermod --expire 9999 man

This works on some systems

root@earth> ipa user-unlock man

This resets the account if all else fails.

root@earth> pam_tally --user=man --reset

References.
www.cyberciti.biz
From RHEL user-unlock command
SuperUser pam command

How to Manually Remove the NetBackup Client on Linux

These are my notes on removing a NetBackup client on a Linux system. This how to is based on the Symantec Tech Note, which is referenced at the bottom of this post. This is for the most part the recommended way of removing NetBackup. I have added a few more steps so that your logs are not filled with error messages.

Shut down running NetBackup processes. (optional)

man@earth> sudo netbackup stop
stopping the NetBackup client daemon
stopping the NetBackup network daemon

Or you can use this command.

man@earth> sudo bp.kill_all

Looking for NetBackup processes that need to be terminated.

Looking for more NetBackup processes that need to be terminated.
Stopping bpcd...
Stopping vnetd...

Check for running processes. (optional)

man@earth> sudo bpps -x
NB Processes
------------

Shared Symantec Processes
-------------------------
root 2827 1 0 Apr22 ? 00:00:00
/opt/VRTSpbx/bin/pbx_exchange

If you see more then what is list above then than NetBackup didn't shut down. If the commands didn't work then move to the next step.

Remove the NetBackup client.

man@earth> rm -r /usr/openv

Look for NetBackup files in xinet.d

man@earth> ls -l /etc/xinetd.d/

Look for the bpcd, bpjava-msvc, ventd and vopied files. If the file is found remove it.

Edit the services file.
Backup the /etc/services file. Remove all NetBackup services, such as the ones listed above.

Restart xinetd 
For Susie run this command

man@earth> sudo /etc/rc.d/xinetd restart

For all others run this command

man@earth> sudo /etc/rc.d/init.d/xinetd restart

Reference:
Tech Note 71923

If you have any questions or comments post they below.

My BASH profile

These are notes on how I like to have my command prompt set up. I'm a BASH user so I will be updating the .profile and the .bashrc files. Both files are located in the users home directory.


This what my prompt looks like. It is a two line prompt, I find that it helps break up the commands from the output. The second line also gives more room for long commands and helps prevent the line from wrapping over top of the prompt.

earth:~

man@earth
< 

The basic bash prompt don't look all the great, as seen below. To get it look like the example above run the command below.

bash

bash$

export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

Below I have posted my .profile file.

earth:~

man@earth
< more .profile

PATH=/usr/xpg4/bin:/usr/bin:/bin:/usr/sbin:/usr/local/sbin:/usr/openwin/bin:/usr/local/bin:/usr/ucb:/etc:/usr/X11/bin:/sbin:/usr/openv/netbackup:/usr/openv/netbackup/bin:/usr/openv/netbackup/bin/admincmd:/usr/openv/netbackup/bin/goodies:/usr/openv/volmgr/bin:/usr/sfw/bin/:$HOME

MANPATH=/usr/share/man:/usr/dt/man:/usr/openwin/share/man:/usr/X11/man:/usr/man:/usr/sfw/man:/usr/local/man:

EDITOR=/usr/bin/vi
TMOUT=0
TIMEOUT=0

#alias xterm="xterm -sl 1000 &"
#export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u@\e[0;32m\h\e[0;34m\]>\[\e[0m\] "
export PS1="\[\e]2;\h:\w \a\[\e[0;31m\]\u\[\e[0m\]@\e[0;32m\h\e[0;34m\]\n<\[\e[0m\] "

The PATH statement is used to store the paths of the commands you want to use. This way you don't need to provide the full path for each command you want to run. The MANPATH statement is basically the same thing, but used to help you access the man pages.

Get the OpenSSL version

I often have to check which versions of applications we have installed our servers. Below I have post the method of checking the version of OpenSSL installed on a server. The command below should work with any UNIX based operating system. I might even work on Windows.

man@earth> openssl version -a

To find the non system or embedded versions you will have to run the find command. Shown below.

root@earth> find / -name openssl -type f 2>/dev/null

I hope this helps someone

How to setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.

man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Bash Shortcut keys

I found this little reference chart on the short cut keys in BASH. These short cut keys allow for command line editing. I for example use Ctrl + A all the time to edit the line.

Ctrl + A	Go to the beginning of the line you are currently typing on
Ctrl + E	Go to the end of the line you are currently typing on
Ctrl + L	Clears the Screen, similar to the clear command
Ctrl + U	Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + H	Same as backspace
Ctrl + R	Let’s you search through previously used commands
Ctrl + C	Kill whatever you are running
Ctrl + D	Exit the current shell
Ctrl + Z	Puts whatever you are running into a suspended background process. fg restores it.
Ctrl + W	Delete the word before the cursor
Ctrl + K	Clear the line after the cursor
Ctrl + X	Then Backspace clear the line before the cursor
Ctrl + T	Swap the last two characters before the cursor
Esc + L	Changes to upper case
Esc + U	Changes to lower case
Esc + T	Swap the last two words before the cursor
Alt + F	Move cursor forward one word on the current line
Alt + B	Move cursor backward one word on the current line
Tab	Auto-complete files and folder names

Referance:
http://www.howtogeek.com/howto/ubuntu/keyboard-shortcuts-for-bash-command-shell-for-ubuntu-debian-suse-redhat-linux-etc/
I found this chart at the link above.

Script for checking accounts

In a perfect world all user accounts are centrally managed by a directory server such as NIS, LDAP or Active Directory. Unfortunately not all servers use accounts that are centrally managed or there are some servers that are set aside, as stand alone servers. It a can be a real pain to find out your account's password expired. Then be forced to change it before you can login. So I wrote this is a little script because I need to know when my passwords are about to expire. This way I can change my passwords on all the servers, before they expire.

I have three different operating systems at work so of course they all do this differently. In this how to I will be using examples from Solaris 10, RHEL 5 (Red Hat Enterprise Linux) and SLES 11 (SUSE Linux Enterprise Server). I created a different file, containing the server names, for each OS.

The script below logs into each server listed in the server-sol file and runs the passwd -s command and prints the output on the screen. It then runs the change -l command on the Linux servers. SUSE needs elevated privileges to run the change -l, so I add sudo to the line. The line where you see the echo statement, prints the server's name indented and in bold.

man@earth>cat check-login2
for s in `cat server-sol`
do echo -e "\e[1m $s \033[0m "
ssh -q $s sudo passwd -s man
done
for r in `cat server-rhel`
do echo -e "\e[1m $r \033[0m "
ssh -q $r chage -l man
done
for sles in `cat server-suse`
do echo -e "\e[1m $sles \033[0m "
ssh -q $sles sudo chage -l man
done
Examples of out from script on the different OS versions.
man@earth>./check-login2
   solaris-server
rich PS 04/03/13 7 56 7
   rhel-server
Last password change : Apr 03, 2013
Password expires : May 29, 2013
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 56
Number of days of warning before password expires : 7
   sles-server
Minimum: 1
Maximum: 60
Warning: 7
Inactive: 35
Last Change: Apr 03, 2013
Password Expires: Jun 02, 2013
Password Inactive: Jul 07, 2013
Account Expires: Never
As you can see there is a difference in the output each OS gives you. If you have any comments or questions please post them below.