Wednesday, December 3, 2014
===========================

makecitizen
-----------

{sysops, scripting, adduser, chfn}

Paul Ford sent out an e-mail to the tilde.club waitlist pointing at
~pfhawkins's list of other tildes, so I'm getting signup requests.  There are
enough that I want to write a script for adding a new squiggle.city user.  I'm
not determined to be very fancy about this right now; I just want to save some
keystrokes.

The first thing I do is google "adduser".  `adduser(1)` is basically just a
front end to `useradd(1)`.  (This distinction will never stop being confusing,
and should probably be a lesson to anyone considering that naming pattern.)  I
learn via Wikipedia that the metadata (name, room number, phone, etc.) which
adduser prompts for is called the
[GECOS field](http://en.wikipedia.org/wiki/Gecos_field), and is a relic of something
called the General Electric Comprehensive Operating System, which ran on some
machines at Bell Labs.

You can change that info with `chfn(1)`.

What my script needs to do is:

  1. create a user with a given `$USERNAME`
  2. generate a random password for the user and tell me
  3. do `chage -d0 $USERNAME`
  4. put a given public key in `~$USERNAME/.ssh/authorized_keys`

You can't log in to squiggle.city with a password, so why go to the trouble of
setting a random one and forcing users to change it at their first login?
Mostly because users are going to need to know a password for things like
changing their shell or in the case that they get operator privileges one day.

This is what I come up with, after a couple of even dumber iterations:

    #!/bin/bash

    CITIZEN=$1
    KEYSTRING=$2

    # Complain and exit if we weren't given a path and a property:
    if [[ ! $CITIZEN || ! $KEYSTRING ]]; then
      echo "usage: makecitizen <username> <key>"
      exit 64
    fi

    # this should actually check if a _user_ exists,
    # not just the homedir
    if [ -d /home/$CITIZEN ]; then
      echo "$CITIZEN already exists - giving up"
      exit 68
    fi

    PASSWORD=`apg -d -n2`

    adduser --disabled-login $CITIZEN
    echo "$CITIZEN:$PASSWORD" | chpasswd
    chage -d 0 $CITIZEN

    echo "$KEYSTRING" >> /home/$CITIZEN/.ssh/authorized_keys  

    echo "passwd: $PASSWORD"

    exit 0

This is used like so:

    root@squiggle:~# ./makecitizen jrandomuser "ssh-rsa ..."

It'll still do `adduser` interactively, which is fine for my purposes.

I think this would be improved if it took a fullname and e-mail as input,
and then sent that person a message, or at least output the text of one,
telling them their password.

It'd probably be improved even more than that if it operated in batch mode, was
totally idempotent, and could be driven off some separate file or output
containing the set of users.

(Thoughts like this are how systems like Puppet and Chef are born.)