Major cleanup:

+ No longer prompt for setting of default options _every_ time it's invoked.
Only does that when adduser.conf doesn't exist or with the passing of
-config_create
+ Scriptwork cleanup and prettying
+ Fix the manpage to use proper English and give examples and better docs in
general.
+ Improve the bonehead question "Use passwords" to seem more intuitively
meaningful.
+ Add support for multiple kinds of encryption with a default entry or a new
-e flag (passwd.conf).  TODO: Make adduser grok passwd.conf and add users
for whom the encryption is different to it.
+ "and more..." see the manpage.

2 files changed, 235 insertions, 138 deletions

diff --git a/usr.sbin/adduser/adduser.8 b/usr.sbin/adduser/adduser.8
index a81c43871b3..f94d88d0b3e 100644
--- a/usr.sbin/adduser/adduser.8
+++ b/usr.sbin/adduser/adduser.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: adduser.8,v 1.1 1996/09/28 05:58:35 downsj Exp $
+.\"	$OpenBSD: adduser.8,v 1.2 1997/05/29 04:26:55 gene Exp $
 .\"
 .\" Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
 .\" All rights reserved.
@@ -37,22 +37,24 @@
 .Nm adduser
     [-batch username [group[,group]...] [fullname] [password]]
     [-check_only] [-config_create] [-dotdir dotdir] 
-    [-group login_group] [-h|-help] [-home home] 
-    [-message message_file] [-noconfig] [-shell shell] 
-    [-s|-silent|-q|-quit] [-uid uid_start] [-v|-verbose]
-
+    [-e|-encrypt method] [-group login_group] [-h|-help] 
+    [-home home] [-message message_file] [-noconfig] 
+    [-shell shell] [-s|-silent|-q|-quiet] [-uid uid_start] 
+    [-v|-verbose]
 
 .Sh DESCRIPTION
 .Nm Adduser 
-is a simple program for adding new users. Adduser checks
-passwd, group and shell database. It creates passwd/group entry,
-HOME-directory, dotfiles and sends new user a welcome message.
+is a simple program for adding new users. Adduser first performs consistency
+checks on the passwd, group, and shell databases. It creates passwd/group
+entries, a HOME-directory, and dotfiles for a new user, and sends
+him or her a welcome message at the discretion of the person creating
+the account.
 
 .Sh RESTRICTIONS
 .Bl -tag -width Ds -compact
 .It Sy username
-Login name. Only lowercase characters or digits. Maximum length
-is 8 characters (see 
+Login names should contain only lowercase characters or digits. They should be
+no longer than 8 characters (see 
 .Xr setlogin 2
 BUGS section). 
 .\" The reasons for this limit are "Historical". 
@@ -67,19 +69,26 @@ If you need a longer login name for e-mail addresses,
 you can define an alias in
 .Pa /etc/aliases .
 .It Sy fullname
-Firstname and surname. 
+This should contain the user's firstname and surname.  The 
 .Ql Pa \:
-not allowed.
+is not permitted..
 .It Sy shell
-Only valid shells from shell database or sliplogin and pppd
+Only valid entries from the 
+.Xr shells 5
+database or entries corresponding to sliplogin and pppd are permitted.
 .It Sy uid
-Automatically generated or your choice, less than 32000.
+This value is automatically generated or assigend at the invoker's 
+discretion; however, it must be less than 32000.
 .It Sy gid/login group
-Your choice or automatically generated. 
+This value is generated automatically, but it can be specified at the
+discretion of the person invoking the program. 
 .It Sy password
-If not empty, password is encoded with crypt.
+If not empty, the password is encrypted according to 
+.Xr passwd.conf 5
+If empty, the account will be automatically disabled to prevent spurious
+access to it.
+.
 .El
-
 .\" .Sh UNIQUE GROUP
 .\" Perhaps you're missing what *can* be done with this scheme that falls apart
 .\" with most other schemes.  With each user in his/her own group the user can
@@ -96,95 +105,107 @@ If not empty, password is encoded with crypt.
 .\" 
 .\" I have been using this model for almost 10 years and found that it works
 .\" for most situations, and has never gotten in the way.  (Rod Grimes)
-
 .Sh CONFIGURATION
+Adduser follows these steps to extract its configuration
+information:
 .Bl -tag -width Ds -compact
 .It Sy 1.
-Read intern variables.
+Read internal variables.
 .It Sy 2.
-Read config file (/etc/adduser.conf)
+Read configuration file (/etc/adduser.conf)
 .It Sy 3.
-Parse command line options
+Parse command-line options
 .El
 
+The adduser.conf format is explained within that file and is quite
+straightforward.
+
 .Sh OPTIONS
 .Bl -tag -width Ds
 .It Sy -batch username [group[,group]...] [fullname] [password]
-Batch mode.
+Enter batch mode in which multiple users are specified on the command line
+in a compact format.
 
 .It Sy -check_only
-Check /etc/passwd, /etc/group, /etc/shells and exit.
+Check the passwd, group, shells databases for consistency and problems
+then exit without performing any other operation.
 
 .It Sy -create_config
-Create new config and message file and exit. 
+Create or edit default configuration information and message file before 
+proceeding with the normal interactive adduser procedure.
 
 .It Sy -dotdir Ar directory
 Copy files from 
 .Ar directory 
-into the HOME-directory of new users,
+into the HOME-directory of new users.  Files named in the fashion of
 .Ql Pa dot.foo
-files renamed to 
+will be renamed to 
 .Ql Pa .foo .
-Don't copy files if
-.Ar directory 
-equal with 
-.Ar no .
-For security make all files writable and readable for owner,
-don't allow group or world to write files and allow only owner
-to read/execute/write .rhost, .Xauthority, .kermrc, .netrc, Mail,
-prv, iscreen, term.
+By default, all files are made writable and readable by 
+their owner.
+.\" don't allow group or world to write files and allow only owner
+.\" to read/execute/write .rhost, .Xauthority, .kermrc, .netrc, Mail,
+.\" prv, iscreen, term.
+
+.It Sy -encrypt,-e Ar method
+Encrypt local passwords using
+.Ar method
+of encryption as described in 
+.Xr passwd.conf 5 .
 
 .It Sy -group Ar login_group
-Login group. 
+Specify the default login group.  A value of 
 .Ar USER
-means use username as login group.
+means that the username is to be used as the login group.
 
 .It Sy -help,-h,-?
-Print options and exit.
+Print a summary of options and exit.
 
 .It Sy -home Ar partition
-Default home partition where all users located.
+Specify the default home partition where all users home directories
+are to be located.
 
 .It Sy -message Ar file
-Send new users a welcome message.
-Don't send message if
-.Ar file 
-equal with
-.Ar no .
+Send new users a welcome message from
+.Ar file .
+Specifying a value of
+.Ar no
+for
+.Ar file
+causes no message to be sent to new users.
 
 .It Sy -noconfig
-Do not read config file.
+Do not read the default configuration file.
 
 .It Sy -shell Ar shell 
-Default shell for new users.
+Specify the default shell for new users.
 
-.It Sy -silent,-s,-quit,-q
-Few warnings, question, bug reports. 
+.It Sy -silent,-s,-quiet,-q
+Causes the program to print fewer warnings, questions, and bug reports. 
 
 .It Sy -uid Ar uid
 Use uid's from 
 .Ar uid
-up.
+up when automatically generating uid's.
 
 .It Sy -verbose,-v
-Many warning, question. Recommended for novice users.
-
+Causes the program to print many warnings and question.
+This option is recommended for novice users.
 
+.\" .Sh FORMAT
+.\" .Bl -tag -width Ds -compact
+.\" .Ql Pa #
+.\" is a comment.  
 
-.Sh FORMAT
-.Bl -tag -width Ds -compact
-.Ql Pa #
-is a comment.  
-
-.P
-.It Sy config file
-.Nm Adduser
-reads and writes this file. 
-See /etc/adduser.conf for more details.
-.It Sy message file
-Eval variables in this file. See /etc/adduser.message for more
-details.
-.El
+.\" .P
+.\" .It Sy config file
+.\" .Nm Adduser
+.\" reads and writes this file. 
+.\" See /etc/adduser.conf for more details.
+.\" .It Sy message file
+.\" Eval variables in this file. See /etc/adduser.message for more
+.\" details.
+.\" .El
 
 .Sh EXAMPLES
 .Pp
@@ -193,19 +214,19 @@ $ adduser
 Start adduser in interactive mode.
 
 .Pp
-$ adduser -batch baerenklau guest,staff,baer 'Teddy II' qwerty7
+$ adduser -batch falken guest,staff,beer 'Prof. Falken' joshua
 .Pp
-Create user 'baerenklau' and  login group 'baerenklau'. Invite user 
-baerenklau into groups guest, staff and baer. Realname (fullname) 
-is 'Teddy II'. Password is 'qwerty7' (don't use such password!). Create
-HOME directory '/home/baerenklau' and copy all files and directories 
-from /usr/share/skel to /home/baerenklau. Send user baerenklau 
+Create user 'falken' and  login group 'falken'. Invite user 
+falken into groups guest, staff and beer. Realname (fullname) 
+is 'Prof. Falken'. Password is 'joshua' (don't use such a password!). Create
+the HOME directory '/home/falken' and copy all files and directories 
+from /usr/share/skel to /home/falken. Send user falken 
 a welcome message.
 
 .Pp
 $ adduser -uid 5000 -group guest -message no -batch vehlefanz
 .Pp
-Create user 'vehlefanz'. Login group is guest. Uid is up to
+Create user 'vehlefanz' in login group guest. Uid is up to
 5000, for instance 5007. No other groups, no realname, no password.
 Do not send a welcome message.
 
@@ -234,6 +255,7 @@ logfile for adduser
 .Xr setlogin 2 ,
 .Xr aliases 5 ,
 .Xr passwd 5 ,
+.Xr passwd.conf 5 ,
 .Xr group 5 ,
 .Xr shells 5 ,
 .Xr adduser_proc 8 ,
diff --git a/usr.sbin/adduser/adduser.perl b/usr.sbin/adduser/adduser.perl
index a39df427e8b..c1a52edfd14 100644
--- a/usr.sbin/adduser/adduser.perl
+++ b/usr.sbin/adduser/adduser.perl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-#	$OpenBSD: adduser.perl,v 1.4 1997/02/25 00:01:52 downsj Exp $
+#	$OpenBSD: adduser.perl,v 1.5 1997/05/29 04:26:56 gene Exp $
 #
 # Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
 # All rights reserved.
@@ -28,8 +28,41 @@
 #
 # $From: adduser.perl,v 1.22 1996/12/07 21:25:12 ache Exp $
 
+################
+# main
+#
+$test = 0;			# test mode, only for development
+$check_only = 0;
+
+&check_root;			# you must be root to run this script!
+&variables;			# initialize variables
+&config_read(@ARGV);		# read variables from config-file
+&parse_arguments(@ARGV);	# parse arguments
+
+if (!$check_only &&  $#batch < 0) {
+    &copyright; &hints;
+}
+
+# check
+$changes = 0;
+&passwd_check;			# check for valid passwdb
+&shells_read;			# read /etc/shells
+&passwd_read;			# read /etc/master.passwd
+&group_read;			# read /etc/group
+&group_check;			# check for incon*
+exit 0 if $check_only;		# only check consistence and exit
+
+exit(!&batch(@batch)) if $#batch >= 0; # batch mode
+
+# Interactive:
+# main loop for creating new users
+&new_users;	     # add new users
+
+#end
+
 
-# read variables
+# Set adduser "default" variables internally before groking config file
+# Adduser.conf supercedes these
 sub variables {
     $verbose = 1;		# verbose = [0-2]
     $defaultpasswd = "yes";	# use password for new users
@@ -45,13 +78,15 @@ sub variables {
     $etc_passwd = "/etc/master.passwd";
     $group = "/etc/group";
     $pwd_mkdb = "pwd_mkdb -p";	# program for building passwd database
-
+    $encryptionmethod = "blowfish";
 
     # List of directories where shells located
     @path = ('/bin', '/usr/bin', '/usr/local/bin');
     # common shells, first element has higher priority
     @shellpref = ('csh', 'sh', 'bash', 'tcsh', 'ksh');
 
+    @encryption_methods = ('blowfish', 'md5', 'des');
+
     $defaultshell = 'sh';	# defaultshell if not empty
     $group_uniq = 'USER';
     $defaultgroup = $group_uniq;# login groupname, $group_uniq means username
@@ -102,7 +137,7 @@ sub shells_read {
     local($sh);
     local($err) = 0;
 
-    print "Check $etc_shells\n" if $verbose;
+    print "Reading $etc_shells\n" if $verbose;
     open(S, $etc_shells) || die "$etc_shells:$!\n";
 
     while(<S>) {
@@ -717,8 +752,9 @@ sub new_users {
 	if (&new_users_ok) {
 	    $new_users_ok = 1;
 
-	    $cryptpwd = "";
-	    $cryptpwd = crypt($password, &salt) if $password ne "";
+	    $cryptpwd = "*";	# Locked by default
+	    $cryptpwd = encrypt($password, &salt) if ($password ne "");
+
 	    # obscure perl bug
 	    $new_entry = "$name\:" . "$cryptpwd" .
 		"\:$u_id\:$g_id\::0:0:$fullname:$home/$name:$sh";
@@ -758,8 +794,8 @@ sub batch {
     ($flag, $new_groups) = &new_users_groups_valid($groups);
     return 0 if $flag;
 
-    $cryptpwd = "";
-    $cryptpwd = crypt($password, &salt) if $password ne "";
+    $cryptpwd = "*";	# Locked by default
+    $cryptpwd = encrypt($password, &salt) if $password ne "";
     # obscure perl bug
     $new_entry = "$name\:" . "$cryptpwd" .
 	"\:$u_id\:$g_id\::0:0:$fullname:$home/$name:$sh";
@@ -776,7 +812,7 @@ sub batch {
 sub password_default {
     local($p) = $defaultpasswd;
     if ($verbose) {
-	$p = &confirm_yn("Use passwords", $defaultpasswd);
+	$p = &confirm_yn("Prompt for passwords by default", $defaultpasswd);
 	$changes++ unless $p;
     }
     return "yes" if (($defaultpasswd eq "yes" && $p) ||
@@ -784,6 +820,30 @@ sub password_default {
     return "no";    # otherwise
 }
 
+# get default encryption method
+sub encryption_default {
+    local($m) = "";
+    if ($verbose) {
+	while (&encryption_check($m) == 0) {
+            $m = &confirm_list("Default encryption method for passwords", 1,
+                              $encryption_methods[0], @encryption_methods);
+	}
+    }
+    return($m);
+}
+
+# Confirm that we have a valid encryption method
+sub encryption_check {
+    local ($m) = $_[0];
+
+    foreach $i (@encryption_methods) {
+        if ($m eq $i) { return 1; }
+    }
+    
+    if ($m =~ /^blowfish,(\d+)$/) { return 1; }
+    return 0;
+}
+
 # misc
 sub check_root {
     die "You are not root!\n" if $< && !$test;
@@ -796,13 +856,14 @@ usage: adduser
     [-check_only]
     [-config_create]
     [-dotdir dotdir]
+    [-e|-encryption method]
     [-group login_group]
     [-h|-help]
     [-home home]
     [-message message_file]
     [-noconfig]
     [-shell shell]
-    [-s|-silent|-q|-quit]
+    [-s|-silent|-q|-quiet]
     [-uid uid_start]
     [-v|-verbose]
 
@@ -824,24 +885,55 @@ sub uniq {
     return @array;
 }
 
-# see /usr/src/usr.bin/passwd/local_passwd.c or librcypt, crypt(3)
+# Generate an appropriate argument to encrypt()
+# That may be a DES salt or a blowfish rotation count
 sub salt {
     local($salt);		# initialization
-    local($i, $rand);
-    local(@itoa64) = ( 0 .. 9, a .. z, A .. Z ); # 0 .. 63
-
-    warn "calculate salt\n" if $verbose > 1;
-    # to64
-    for ($i = 0; $i < 8; $i++) {
-	srand(time + $rand + $$); 
-	$rand = rand(25*29*17 + $rand);
-	$salt .=  $itoa64[$rand & $#itoa64];
+    if ($encryptionmethod eq "des") {
+        local($i, $rand);
+        local(@itoa64) = ( 0 .. 9, a .. z, A .. Z ); # 0 .. 63
+
+        warn "calculate salt\n" if $verbose > 1;
+
+        for ($i = 0; $i < 8; $i++) {
+	    srand(time + $rand + $$); 
+	    $rand = rand(25*29*17 + $rand);
+	    $salt .=  $itoa64[$rand & $#itoa64];
+        }
+    } elsif ($encryptionmethod eq "md5") {
+        $salt = "";
+    } elsif ($encryptionmethod =~ /^blowfish/ ) {
+        ($encryptionmethod, $salt) = split(/\,/, $encryptionmethod);
+	if ($salt eq "") { $salt = 7; }	# default rounds inf unspecified
+    } else {
+        warn "$encryptionmethod encryption method invalid\n" if ($verbose > 0);
+	warn "Falling back to blowfish,7...\n" if ($verbose > 0);
+	$encryptionmethod = "blowfish";
+	$salt = 7;
     }
+        
     warn "Salt is: $salt\n" if $verbose > 1;
 
     return $salt;
 }
 
+# Encrypt a password using the selected method
+sub encrypt {
+    local($pass, $salt) = ($_[0], $_[1]);
+    local $args, $crypt;
+
+    if ($encryptionmethod eq "des") {
+        $args = "-s $salt";
+    } elsif ($encryptionmethod eq "md5") {
+        $args = "-m";
+    } elsif ($encryptionmethod eq "blowfish") {
+        $args = "-b $salt";
+    }
+
+    $crypt = `encrypt $args $pass`;
+    chop $crypt;
+    return($crypt);
+}
 
 # print banner
 sub copyright {
@@ -867,7 +959,7 @@ sub parse_arguments {
 	shift @argv;
 	last if /^--$/;
 	if    (/^--?(v|verbose)$/)	{ $verbose = 1 }
-	elsif (/^--?(s|silent|q|quit)$/)  { $verbose = 0 }
+	elsif (/^--?(s|silent|q|quiet)$/)  { $verbose = 0 }
 	elsif (/^--?(debug)$/)	    { $verbose = 2 }
 	elsif (/^--?(h|help|\?)$/)	{ &usage }
 	elsif (/^--?(home)$/)	 { $home = $argv[0]; shift @argv }
@@ -883,8 +975,12 @@ sub parse_arguments {
 	    die "batch: too few arguments\n" if $#batch < 0;
 	}
 	# see &config_read
-	elsif (/^--?(config_create)$/)	{ &create_conf; }
+	elsif (/^--?(config_create)$/)	{ &copyright; &hints; &create_conf; exit(0); }
 	elsif (/^--?(noconfig)$/)	{ $config_read = 0; }
+	elsif (/^--?(e|encryption)$/) {
+	    $encryptionmethod = $argv[0];
+	    shift @argv;
+	}
 	else			    { &usage }
     }
     #&usage if $#argv < 0;
@@ -920,16 +1016,25 @@ sub filetest {
     return 0;
 }
 
-# create configuration files and exit
+# create or recreate configuration file prompting for values
 sub create_conf {
     $create_conf = 1;
+
+    &shells_read;			# Pull in /etc/shells info
+    &shells_add;			# maybe add some new shells
+    $defaultshell = &shell_default;	# enter default shell
+    $home = &home_partition($home);	# find HOME partition
+    $dotdir = &dotdir_default;		# check $dotdir
+    $send_message = &message_default;   # send message to new user
+    $defaultpasswd = &password_default; # maybe use password
+    $defaultencryption = &encryption_default;	# Encryption method
+
     if ($send_message ne 'no') {
 	&message_create($send_message);
     } else {
 	&message_create($send_message_bak);
     }
     &config_write(1);
-    exit(0);
 }
 
 # log for new user in /var/log/adduser
@@ -1272,7 +1377,7 @@ sub next_id {
     return ($uid_start, $gid_start);
 }
 
-# read config file
+# read config file - typically /etc/adduser.conf
 sub config_read {
     local($opt) = @_;
     local($user_flag) = 0;
@@ -1280,7 +1385,12 @@ sub config_read {
     # don't read config file
     return 1 if $opt =~ /-(noconfig|config_create)/ || !$config_read;
 
-    if(!open(C, "$config")) {
+    if (!-f $config) {
+        warn("Couldn't find $config: creating a new adduser configuration file\n");
+        &create_conf;
+    }
+
+    if (!open(C, "$config")) {
 	warn "$config: $!\n"; return 0;
     }
 
@@ -1330,6 +1440,7 @@ sub config_write {
 
     print C <<EOF;
 #
+# $OpenBSD: adduser.perl,v 1.5 1997/05/29 04:26:56 gene Exp $
 # $config - automatic generated by adduser(8)
 #
 # Note: adduser read *and* write this file.
@@ -1340,10 +1451,14 @@ sub config_write {
 # verbose = [0-2]
 verbose = $verbose
 
-# use password for new users
+# Get new password for new users
 # defaultpasswd =  yes | no
 defaultpasswd = $defaultpasswd
 
+# Default encryption method for user passwords 
+# Methods are all those listed in passwd.conf(5)
+encryptionmethod = "$defaultencryption"
+
 # copy dotfiles from this dir ("/usr/share/skel" or "no")
 dotdir = "$dotdir"
 
@@ -1384,43 +1499,3 @@ EOF
     close C;
 }
 
-################
-# main
-#
-$test = 0;	      # test mode, only for development
-$check_only = 0;
-
-&check_root;	    # you must be root to run this script!
-&variables;	     # initialize variables
-&config_read(@ARGV);	# read variables form config-file
-&parse_arguments(@ARGV);    # parse arguments
-
-if (!$check_only &&  $#batch < 0) {
-    &copyright; &hints;
-}
-
-# check
-$changes = 0;
-&passwd_check;			# check for valid passwdb
-&shells_read;			# read /etc/shells
-&passwd_read;			# read /etc/master.passwd
-&group_read;			# read /etc/group
-&group_check;			# check for incon*
-exit 0 if $check_only;		# only check consistence and exit
-
-exit(!&batch(@batch)) if $#batch >= 0; # batch mode
-
-# interactive
-# some questions
-&shells_add;			# maybe add some new shells
-$defaultshell = &shell_default;	# enter default shell
-$home = &home_partition($home);	# find HOME partition
-$dotdir = &dotdir_default;	# check $dotdir
-$send_message = &message_default;   # send message to new user
-$defaultpasswd = &password_default; # maybe use password
-&config_write(!$verbose);	# write variables in file
-
-# main loop for creating new users
-&new_users;	     # add new users
-
-#end