Expect script - going in loops can't stop

radioactive9 · January 10, 2012, 10:54am

Hi

First of all I tried lot of forums to create my first expect script. But I am totally stumped at the last step. I am no Linux Admin or ever trained in Linux. I just tried to create the script logically

History :

I need to to change my password across lot of servers in Linux over ssh

There can be following scenario

I have never logged in to the server ever and I am getting RSA Key confirmation to be added YES/NO for the one time
I have logged in to the server before and the password is still working and I should be able to issue passwd command to change my password
I have logged in to the server before and the password is not working and forcing me to change the password

My two scripts:

runip.sh - Simple shell script to run through all the IPs mentioned in iplist.txt

Now comes the trouble script which is going in loops and not able to break out

#!/usr/bin/expect -f

set ip [lindex $argv 0] #Catching the ip from shell script
spawn ssh user1@$ip
expect {
"sure you want to continue connecting (yes/no)?" {send "Yes\r" ; exp_continue} # In case of first time login you need to add the token YES/NO bla bla
"user1@$ip's password:" {send "Password\r" ; exp_continue} # IF getting password Prompt entering the current password

# Now two scenario 1. You get bash prompt as you have successfully logged in OR 2. You get change password prompt as your password has already expired so..

"~]$ " {send "passwd\r" ; exp_continue} # Get prompt that we have successfully logged in and sending passwd command to start initiating change of password

# In either scenario above the below code should get executed if I am getting change password prompt immidiately after login as password has expired OR I have started passwd command

"(current) UNIX password:" {send "Password\r" ; exp_continue} # Entering Current Password

"New UNIX password:" {send "P@ssw0rd\r" ; exp_continue} # Entering New password
"Retype new UNIX password:" {send "P@ssw0rd\r" ; exp_continue} # Re-entering New password
"~]$ " {send "exit\r"} # Now this is a trial logically after re-entering password I should get the same prompt back and can exit from here - doesn't work it seems it goes back to the initial prompt and issue passwd command again and goes in loop
eof {break} # Tried this thought it will break no go

sleep 5
exit 0
}
close $spawn_id

I have no clue how to break free and exit from the passwd loop and go to the next IP as in the script :wall:

Any help will be great and I am sure this is a common script in lot of environment helping users to do manually

Usually the bash prompt in environemnt looks like the below

[user1@server1 ~]$

frappa · January 10, 2012, 4:18pm

Hi,

have you tried your script by calling it manually and performing a simple command instead of password change? i.e. you can try to simply ls the content of the home directory just to see in the remaining part of the script works as intended. Plus, if my memory reminds well, you can try issuing the exit command as:

send "exit\r\r"

that is a double \r after exit.

Tomorrow I should be able to read a similar script written some times ago that may be useful; meanwhile make and test the suggested modifications.

see ya
fra

radioactive9 · January 11, 2012, 5:01am

Hi Man

Thanks for your response. As suggested and after tweaking a little bit I am able to make the program work as expected so far so good. Will let you know if I stumble any more problem.

Just one thought which I don't know how to incorporate. I was thinking that in either of the trials of changing password if it stumbles anywhere and not able to do for any reason like not able to login at all due to wrong password or remote host is down or some other reason it should log the IP to a txt file. I know the shell script operator as >> Log.txt somewhere so that it logs on error or something. How to implement that along with the expect script

Here are the two scripts which might be helpful to the world and novice like me

To run the script make a file iplist.txt and put the list of IP address there

cat iplist.txt

iprun.sh < Script to run first

change.sh << the expect script which is called for

This change password of user1 from pass123 to P@ssw0rd

Only thing I am now wondering is there any other scenario which can be incorporated and whether we can log the failed change for whatever reason to any logfile

Any help will be great. And thanks again for the great help provided

frappa · January 11, 2012, 8:50am

Hi,

in order to intercept errors during the connection stage in expect, I generally use a "default" behaviour that makes expect to exit with a custom error code, like in the code fragment shown below:

#   handle unexpected exceptions (default bahaviour), RSA key
# + fingerprint not found and authentication password request
#
expect {

          default { 
             send_user "unable to connect to host $host\r\n"
             exit $ec_exception
          }

          -re ".*Are.*.*yes.*no.*" {
             send -s "yes\r"
             exp_continue
             #look for the password prompt
          }

          "assword:" {
             send -s "$password\r"
             #the expect command will now return
          }

}

#   handle the chance that the password is not valid or access is denied
expect { 

         default {
            send_user "unable to connect to host $host\r\n"
            exit $ec_exception
         }

         -re "denied|failed|invalid|incorrect" {
            send_user "invalid password or account for host $host\r\n"
            exit $ec_failedauth
         }

         "$shell_prompt"

}

in particular note the instruction

            exit $ec_exception

and

            exit $ec_failedauth

where $ec_exception and $ec_failedauth are variables declared and set with a value other than 0 in advance.

Note that in the previous example the "default" behaviour actually has the meaning of an exception handling (that is, I define actions for known expected results, all unforesees results are managed based on the default behaviour).

Then the calling script may check, at each iteration, the exit code returned by the expect script, like this:

for ip in `cat iplist.txt`
do
   /home/user1/script/change.sh $ip
   RETVAL=$?
   if [ $RETVAL -ne 0 ] ; then
      #perform some action based on intercepted exit code (i.e. log a message, send an email, etc.)...
      [...]
   fi
done

Note that using different exit codes for different exceptions caught in expect may also be useful to determine what action the calling script should do next.

see ya
fra

radioactive9 · January 12, 2012, 9:36am

You are great buddy. The program now works like a dream. I have made few more changes to make it adapt to the environment

iprun.sh

and then

returnval.sh

#!/usr/bin/expect -f
set ec_exception 1
set ec_failedauth 2
set ec_failedpass 3
set i [lindex $argv 0]
set u [lindex $argv 1]
set o [lindex $argv 2]
set n [lindex $argv 3]

spawn ssh $u@$i
expect {
default {
send_user "Unable to connect to host $i\r\n"
exit $ec_exception
}
"sure you want to continue connecting (yes/no)?" {send "Yes\r" ; exp_continue}
"$u@$i's password:" {send "$o\r"}
}
expect {
default {
send_user "Not able to change password for unknown reason $i\r\n"
exit $ec_failedpass
}
"Permission denied, please try again."
{
send_user "invalid password or account for host $i\r\n"
exit $ec_failedauth
}
"Password unchanged"
{
send_user "You cannot keep same password $i\r\n"
exit $ec_failedpass
}
"BAD PASSWORD: it is based on a dictionary word"
{
send_user "Your password is either weak or used previously $i\r\n"
exit $ec_failedpass
}
"~]$ " {send "passwd\r" ; exp_continue}
"(current) UNIX password:" {send "$o\r" ; exp_continue}
"New UNIX password:" {send "$n\r\n" ; exp_continue}
"Retype new UNIX password:" {send "$n\r\r"}
eof {break\r }
sleep 5
exit 0
}
close $spawn_id

This is great and can do wonders for stupid users like me who need to change password across 1000s of servers

Thank You frappa you are too good man. I really aprreciate your help