Changing Users Passwords Via Script?

PJolliffe · April 9, 2002, 3:37pm

I am the administrator for a large network of HP/UX servers, about 100, this will be growing to over 200 in the next 18 months, part of my duties are to change the root passwords on these machines once month... which is a pain. I have written a script that will generate random passwords for me and print them out so that I do not have to think of and write down the passwords for safe keeping.

Yep, you guessed the next question... how can I pass the passwords to a script which will change them automatically on each machine?

I have done quite a bit of looking into this and found one answer is to use the GNU expect binary, but I am having difficulties getting the binary working on our servers, should I not get it working does any one have any ideas?

Please note that company policy does not allow me to use remote shells, psuedo root users and none expiring accounts.

Thanks in advance

Paul

system · April 9, 2002, 3:59pm

If the company wants all the security -then show them that the only way to do what they want is with a 3rd party security package.

OR

You could use a NIS root account - this is how -
You have your normal root account which has it's info in /etc/passwd (and shadow). If the server looks at NIS before files, then you could have an NIS root account - one password for all servers (yes, drawbacks to that too!). If NIS was unavailable, you would have to know what the server's local root password is to log in or su to root.

To change passwords on all servers requires setting up some type of allowed access - there is a 'free' product called cfengine which worked well (although our site lost 46 servers in one minute due to a bug {which was fixed but we never used it again}). Another way is if you have programming knowledge is to write your own.

My own opinion is with the 3rd party software. I've seen it work and it makes it easy to use (this was on a mix of Solaris and HP servers). I think RSA Security makes/sells it.

edog · April 9, 2002, 4:36pm

i found this script which uses expect awhile ago, haven't had time to mess with it though, maybe it will help get you started

#!/usr/local/bin/expect

if { $argc != 3 } {
    puts "Usage:"
    puts "$argv0 username oldpwd newpwd"
    exit
}

#set machine  [lindex $argv 0]
set username [lindex $argv 0]
set oldpwd   [lindex $argv 1]
set newpwd   [lindex $argv 2]
set completed_list " "

#-----------------------------------------
# All machines where set password on
#-----------------------------------------
set machine_list {
machine1
machine2
machine3
etc
etc
}


#----------------------------------------------------
# Ping machines to see which ones are available
#   ok machines in run_list
#----------------------------------------------------
foreach machine $machine_list {
    if { [ catch { exec ping -c 1 $machine  } ] == 0 } {
        lappend run_list $machine
    }
}


proc exclude_list {} {
    set count 0
    global machine_list run_list
    foreach machine $machine_list {
        incr count
        if { [ lsearch $run_list $machine ] < 0 } {
            puts "\t$count)\t$machine"
        }
    }    
    puts ""
}

proc include_list {} {
    puts "Will now try to change password on following machines:"
    set count 0
    global machine_list run_list
    foreach machine $run_list {
        incr count
            puts "\t$count)\t$machine"
    }
    puts ""
}

proc continue_chk {} {
    global run_list
    while {1} {
        include_list
        puts -nonewline "\nDo you want to continue or (m)odify list? (y/n/m): "
        gets stdin ans 
        if { 1 == [regexp {^y|Y$} $ans]  } {
            puts "yes"
            break
        } elseif { 1 == [regexp {^m|M$} $ans]  } {
            puts -nonewline "\n Enter number to remove: "
            gets stdin ans 
            set r_num [expr {$ans - 1}]
            puts $run_list
            set run_list [ lreplace $run_list $r_num $r_num ] 
        } else {
            puts "no"
            exit
        }
    }
}
    
puts "Failed to ping following machines:"
exclude_list

#puts "Will now try to change password on following machines:"
#include_list

continue_chk

foreach machine $run_list { 
    set change 0
    spawn telnet $machine
    while {1} {
        expect  { 
            timeout         break
            "\rlogin:"        { sleep 1
                              send "${username}\r" }
            "New password"  { send "${newpwd}\r" 
                              lappend completed_list $machine
                              set change 1 }
            "new password"  { send "${newpwd}\r" 
                             set change 1 }
            "Old password:" { send "${oldpwd}\r" }
            "Password:"     { send "${oldpwd}\r" }
            "\\\$"            { if {$change == 0} { 
                                  send "passwd\r" 
                                  set change 1 
                              } else {
                                  send "exit\r" }
                            }
            "changed"       { send "exit\r" }
            "closed"        { break }
        }
        sleep 1
    }
}
    
puts " "
puts "Password changed on following machines:"
foreach machine $completed_list {
    puts $machine
}

puts " "
puts "Password NOT changed on following machines:"
foreach machine $machine_list {
    if { [ lsearch $completed_list $machine ] < 0 } {
        puts $machine
    }
}
exit

added code tags for readability --oombera

Perderabo · April 10, 2002, 8:54am

Can can obtain "expect" and every other well known free software package already compiled to run on HP-UX. See this post for details.