need script for passwd , can't use expect tool

davidg · September 24, 2003, 5:04am

Real great work Perderabo !!!

This is the kind of script I like to keep a copy of

Thanks a lot for all the work. I don't understand the 4> yet, but I'll probably find out somewhere.

Regs David

Nicol · September 24, 2003, 5:24am

Absolutely excellent , i didn't test it completely until writing the new pasword but the connection is ok and the beginning of the dialog is ok too until "old password" so the rest will be ok.

i'm searching for explanations about "print" command flags.
This is an internal command and at this time i never uses this flags

christian

RTM · September 25, 2003, 4:06pm

FYI - not to take away from Perderabo's great work - there is a program called pconsole which does the same as the ccp program (but pconsole should work on most any UNIX). Worth investigating for other uses.

Nicol · September 26, 2003, 7:21am

...but Pconsole (i don't try it!) needs a C compiler and i don't have any and neither admin rights to install it !

..but i keep the link for future use !

christian

98_1LE · January 11, 2005, 7:19pm

estelnet or ctelnet are similar to the ccp product described above. It allows you to either setup an /etc/clusters file with aliases that look like:
servers host1 host2 host3

Running `estelnet servers` would open a telnet to each of the three hosts, along with a console window. Things typed in the console get echo'ed to all three windows, or you can type in each window seperately. It is great for password changes.

You can also run `estelnet host1 host2 host4 host4` to connect to four servers.

Anyone know of an ssh based program that works like this?

Garry_Garrett · June 23, 2005, 7:31pm

Speaking as a SysAdmin, the big problem with doing this type of thing in an expect script is, users (on average not being very security minded) almost never think to look at the permissions on their expect script. Consequenty, they create an expect script, put password in it, and it is sitting there with rwxr-xr-x permissions, for anybody on the system to read (or if it resides in an NFS exported directory, anybody on any system that NFS mounts it or anybody on any system who who can spoof the NFS server into allowing them to mount it). Expect fools programs that were wise enough to insist on speaking to a real live terminal into thinking that they are talking to a terminal when in fact they are being driven programatically.

One thing I like about this script is that it prompts you for the (new and old) passwords. If you read the passwords from a file, your program better insist on that file having good permissions or else you are asking for trouble.

I actually came across this page when I was searching for informationa about a similar program "passmass". That might be another option for someone who interested.

However you change your passwords en-masse, be careful about the permissions of your scripts if they contain any passwords in them, etc.

Perderabo · June 23, 2005, 9:12pm

Glad you liked the script, Garry. You may want to take a look at my password generator too...

swordfish a password generator

cesarNZ · June 26, 2009, 12:09am

what do these '>&4 2>&4 |&' mean on the line "telnet $HOST >&4 2>&4 |&" ??

perderabo:

No money back guarantees on this one. But I tested it on both HP-UX and SunOS and it works for me.

#! /usr/bin/ksh

#  changepass --- change the user's password on a list of hosts
#  perderabo  9/23/03  Version 0.0
#
#  You will need to adjust HOSTLIST.  You may need to adjust DELAY
#  and all of section 2.
#


#
#  Section 0 --- Set stuff up

HOSTLIST="test1 test2"
DELAY=3
stty -echo
print -n Enter Old Password-
read OLDPASS
print 
print -n Enter New Password-
read NEWPASS
print
stty echo
USER=$(whoami)
exec 4>&1


#
#  Section 1 --- Prove that we can talk with the hosts in HOSTLIST
#     Part 1 --- telnet to each and touch a file

for HOST in $HOSTLIST ; do
	telnet $HOST >&4 2>&4 |&
	sleep $DELAY
	print -p $USER
	sleep $DELAY
	print -p $OLDPASS
	sleep $DELAY
	print -p touch changepassdatafile.$HOST
	sleep $DELAY
	print -p exit
	wait
done

#
#  Section 1 --- Prove that we can talk with the hosts in HOSTLIST
#     Part 2 --- Retrieve the files via ftp

ftp -nv >&4 2>&4 |&
for HOST in $HOSTLIST ; do
	print -p open $HOST
	print -p user $USER $OLDPASS
	print -p get changepassdatafile.${HOST}
	print -p close
done
print -p bye
wait

#
#  Section 1 --- Prove that we can talk with the hosts in HOSTLIST
#     Part 3 --- Inspect the retrieved files

errors=0
for HOST in $HOSTLIST ; do
	if [[ -f changepassdatafile.${HOST} ]] ; then
		echo $HOST was ok
		rm changepassdatafile.${HOST}
	else
		echo $HOST has a problem
		((errors=errors+1))
	fi
done
((errors)) && exit 1

#
#  Section 2 --- Change the passwords

for HOST in $HOSTLIST ; do
   telnet $HOST >&4 2>&4 |&
   sleep $DELAY
   print -p $USER
   sleep $DELAY
   print -p $OLDPASS
   sleep $DELAY
   print -p passwd
   sleep $DELAY
   print -p $OLDPASS
   sleep $DELAY
   print -p $NEWPASS
   sleep $DELAY
   print -p $NEWPASS
   sleep $DELAY
   print -p exit
   wait
done

#
#  Section 3 --- Verify that the passwords were changed
#     Part 1 --- Retrieve those files via ftp again

ftp -nv >&4 2>&4 |&
for HOST in $HOSTLIST ; do
   print -p open $HOST
   print -p user $USER $NEWPASS
   print -p get changepassdatafile.${HOST}
   print -p delete changepassdatafile.${HOST}
   print -p close
done
print -p bye
wait

#
#  Section 3 --- Verify that the passwords were changed
#     Part 2 --- Inspect the retrieved files

errors=0
for HOST in $HOSTLIST ; do
   if [[ -f changepassdatafile.${HOST} ]] ; then
   rm changepassdatafile.${HOST}
   else
   echo $HOST has a problem!
   ((errors=errors+1))
   fi
done
((errors)) && exit 1


exit 0

cd_wilson · June 29, 2009, 12:57am

Hello,

Many thanks for the script posted by Perderabo. I came across it many years ago, and it was an immense help in automating a password change on a number of servers and for a number of accounts on those servers.

Now, I am in need of a script to do the same thing using SSH since our Unix Admins have disabled the Telnet process and are forcing only SSH access.

Searching this web site and the internet for any assistance, it plainly became clear that the 'expect' package was the only solution that would do something similar to Perderabo's script.

But,

I had setup SSH authentication, copying the source servers RSA tokens to the destination servers authorized_keys file.

I changed Perderabo's script to have just the two sections - 0 and 2. 0 to set the script up, request passwords, etc. and 2 to do the actual password change.

I then changed 'telnet' to be 'ssh -t -t' and removed the USER and OLDPASS prints, since they are not needed due to the SSH automated authentication.

This works for me ... it will connect via SSH to the destination server and does the password change.

sidh_arth85 · July 15, 2009, 5:57pm

Perderabo
Unix Daemon

Hi Perderabo

The script is really great. But in my system the option print -p and telnet is not working. I only have ssh and sftp enabled in the system.

This is working in Linux but not in solaris.
(sleep1; echo $OLD; sleep 1; echo $NEW; sleep 1; echo $NEW;sleep 1) | passwd

Is there any other way to do this in solaris......

Hi Perderabo

It is really a good script. In my machine print -p and telnet are not working. I am having sftp and ssh to write this type of script. I tried changing your script and implement it, but its not working. Is there any other way to change the password on multiple SunOS machines.

The below command is working fine in Linux but not in SunOS.
(sleep1; echo $OLD; sleep 1; echo $NEW; sleep 1; echo $NEW; sleep 1) | passwd.

Could you please advice.

bakunin · July 15, 2009, 7:49pm

"print -p" is a built-in command in the Korn shell. It will work only if there is a coprocess running otherwise it will produce an error message. In fact it sends the output of a print-command to the running coprocess as input to stdin. (likewise "read -p" will read from the coprocesses stdout)

If you try this script with bash (or any other shell) it won't work because most shells lack the coprocess facility.

The reason why simple redirections to/from passwd do not work on most systems is that passwd clears stdin upon start to enforce real, physical keyboard input. It was designed this way with security in mind. Setting passwords via scripts is always a probable security hazard.

I hope this helps.

bakunin

sidh_arth85 · July 16, 2009, 4:24pm

I do agree with you. But I executed this portion and I got the problem like this
I have Generating public/private rsa key pair using this (ssh-keygen -t rsa)
I am using ssh here to change the password after loging into that HOST.
But it is throwing me the error saying

passwdChg.ksh[19]: print: no query process
passwdChg.ksh[21]: print: no query process
passwdChg.ksh[23]: print: no query process
passwdChg.ksh[25]: print: no query process
passwdChg.ksh[27]: print: no query process

I can see the coprocess is running in line #17. But I could not understand why I getting the above error.

####################
1 #! /usr/bin/ksh
2
3 HOSTLIST="test1 test2"
4 DELAY=3
5 stty -echo
6 print -n Enter Old Password-
7 read OLDPASS
8 print
9 print -n Enter New Password-
10 read NEWPASS
11 print
12 stty echo
13 USER=$(whoami)
14 exec 4>&1
15
16 for HOST in $HOSTLIST ; do
17 ssh -t -t $USER@$HOST >&4 2>&4 |&
18 sleep $DELAY
19 print -p passwd
20 sleep $DELAY
21 print -p $OLDPASS
22 sleep $DELAY
23 print -p $NEWPASS
24 sleep $DELAY
25 print -p $NEWPASS
26 sleep $DELAY
27 print -p exit
28 wait
29 done
30 exit 0

Could you please advice???

Thanks
Siddharth

Perderabo · July 16, 2009, 7:40pm

The problem seems to be with the ssh command. My ssh book seems to imply that -t only works with a command but I tried using ksh and it still fails.

This works:
echo env | ssh user@host ksh

This fails:
echo env | ssh -t -t user@host ksh

I don't know why the latter fails. But I think that is the crux of your problem.

varu0612 · July 19, 2009, 6:37am

Hi Guys,

With all respect to Perderabo script - great job = THANKS, in case anybody use Secure CRT to ssh/telent, the latest version 6.2.1 has a feature called Chat window which allow you to run the same command on multiple servers.

This feature will do the job for you if you have the same users on all servers.

Cheers,
Dani

sidh_arth85 · July 20, 2009, 12:21pm

Hi Perderabo

I am trying this script in Solaris 5.10. First of all I am trying to change the password for the local SunoS 5.10 server. But with the below error.

Command:
--------------
( sleep 6 && echo $OLDPASS >&0 ;sleep 6 && echo $NEWPASS >&0 ;sleep 6 && echo $NEWPASS >&0 )|passwd

Error
-------------
passwd: Sorry, wrong passwd
Permission denied

######################

I have update the the following..

exec 4>&1
exec 0>&4
for HOST in $HOSTLIST ; do
exec >&4
exec 2>&4
ksh |&
sleep $DELAY
print -p $USER
sleep $DELAY
print -p $OLDPASS
sleep $DELAY
print -p passwd
sleep $DELAY
print -p $OLDPASS
sleep $DELAY
print -p $NEWPASS
sleep $DELAY
print -p $NEWPASS
sleep $DELAY
print -p exit
wait
exec 4>&-
done

Error:
------------

ksh: user : not found
ksh[2]: OldPass: not found
passwd: Changing password for user
Enter existing login password:
passwd: Sorry, wrong passwd
Permission denied
ksh[4]: OldPass : not found
ksh[5]: NewPass : not found
ksh[6]: NewPass : not found

I think the output is not going properly to the input of passwd in the aboce part...

Could you pelase advice????

Perderabo · July 20, 2009, 10:00pm

You're trying to send input into the passwd program's stdin. If that were possible, my script would have no purpose. passwd ignores stdin. It opens /dev/tty directly. Then it inhibits character echo so you can't see the passwd as it is typed. It then will read the password. You must arrange for a pseudo tty to be present for passwd to use. (Or use a real one.)