create user with temp password and force change password next login

create_user_prompt.sh

#!/usr/bin/env bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Please run as root or use sudo."
  exit 1
fi

# 🔹 Prompt input
read -rp "Enter username: " USERNAME
read -rp "Enter full name (optional): " FULL_NAME
read -rp "Add to sudo group? (Y/n): " ADD_SUDO

ADD_SUDO="${ADD_SUDO:-Y}"

# 🔹 Validate username
if [[ -z "$USERNAME" ]]; then
  echo "Username is required."
  exit 1
fi

if ! [[ "$USERNAME" =~ ^[a-z_][a-z0-9_-]*[$]?$ ]]; then
  echo "Invalid username: $USERNAME"
  exit 1
fi

# 🔹 Check existing user
if id "$USERNAME" &>/dev/null; then
  echo "User '$USERNAME' already exists."
  exit 1
fi

# 🔐 Generate strong password
TEMP_PASSWORD=$(openssl rand -base64 18 | tr -dc 'A-Za-z0-9@#%+=' | head -c16)

# 🔹 Create user
if [[ -n "$FULL_NAME" ]]; then
  useradd -m -s /bin/bash -c "$FULL_NAME" "$USERNAME"
else
  useradd -m -s /bin/bash "$USERNAME"
fi

# 🔹 Set password
echo "${USERNAME}:${TEMP_PASSWORD}" | chpasswd

# 🔹 Force change password on first login
chage -d 0 "$USERNAME"

# 🔹 Add sudo group
if [[ "$ADD_SUDO" =~ ^[Yy]$ ]]; then
  usermod -aG sudo "$USERNAME"
  GROUP_INFO="sudo"
else
  GROUP_INFO="standard user"
fi

# 🔹 Password policy (optional)
# chage -M 90 -m 1 -W 7 "$USERNAME"

# 🔹 Output
echo "======================================"
echo " User created successfully"
echo "======================================"
echo " Username : $USERNAME"
echo " Password : $TEMP_PASSWORD"
echo " Group    : $GROUP_INFO"
echo " Policy   : must change password on first login"
echo "======================================"