How to securely change user password using shell script

Securely change user password using shell script to automate this task on these rare occasions.

Encrypt user password

Encrypt password using SHA256 algorithm with random salt.

$ printf "mypassword1" | mkpasswd --stdin --method=sha-256
$5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5

Encrypt password using SHA512 algorithm with defined salt.

$ printf "mypassword2" | mkpasswd --stdin --method=sha-512 --salt "KdN5Re3X2X18"
$6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0

The available encryption algorithms are DES, MD5, and SHA256 or SHA512.

You do not need to spectify particular encryption algorithm as it will use PAM to encrypt password.

$ cat /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password	[success=1 default=ignore]	pam_unix.so obscure sha256
# here's the fallback if no module succeeds
password	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

As you can see, SHA512 algorithm will be used by default.

Change user password

Change password for particular user.

Use single quotes to preserve the literal value of each character within the quotes.

$ printf 'milosz:$5$TE9qUgZsrPH2B$Z6leshvNS1M2POmcyNec5liVfY17efGUUEHS0CdyPh6' | sudo chpasswd --encrypted

Change passwords for multiple users using here document.

Use single quotes to disable parameter substitution.

$ sudo chpasswd --encrypted << 'EOF'
milosz:$5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5
michal:$6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0
EOF

Change passwords for multiple users using simple password file.

$ cat users.txt
milosz:$5$zqOp7c57yLt$VABrKc8X1TjWi0zA/EdxvWFiR59dTsIAB0b5Zq4Xgl5
michal:$6$KdN5Re3X2X18$7z85OKGKHHUoOpF/9ZAaFlEd3r8hB7Bw/1Nn/iKCfOesFSsDDooO0/1HBwnPc9ternlOk4z/.ixByZidlRqCn0
$ cat users.txt | sudo chpasswd --encrypted
Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system. He is also open for new opportunities and challenges.

Gdansk, Poland https://sleeplessbeastie.eu