Script to change UNIX password

My shop has just ordained that all UNIX passwords expire after 45 days. We do NOT have a "single logon" facility, so I will need to logon to each of the servers (15+) I interact with and change my password by hand. I thought I could invoke passwd inside a ksh script as a Here document and effectively change my password, stage this script on all the servers under my id, and then invoke via REXEC from one server.

Unfortunately, when I run passwd as a Here doc, it doesn't take my old/new password from stdin.

Here's what I'm doing inside pass.sh:

#!/usr/bin/ksh
passwd <<EOF
oldpassword
newpassword
newpassword
EOF

Does anyone have any thoughts on how I can "synchronize" all my passwords? (I don't have root privs - I'm a developer, not an administrator).

Use the expect tool, or similar to synchronize a user.

If you want to synchronize all the user's, you can use rdist,
rsync, supper or such kind of commands (depend of your OS).

Regards. Hugo.

Hugo,

Thanks for your reply.

We're running under Sun Solaris 2.6 & 2.7

The man pages for rdist - shows info for remote file distribution.
There are no man pages for rsync or supper.

How would rdist help me?

I indicated I'm a developer w/o root/admin privileges. Also we are prevented from creating/updating .rhosts files.

John

The others commands are AIX commands (supper in SP2 environments) and a GNU tool, both for distribute files.

Whith rdist, you can distribute the following files:

/etc/passwd
/etc/groups
/etc/shadow

and if you use solaris 8

/etc/user_attr.

---------------------------------------

If only want to change one password, use "expect"
http://www.sunfreeware.com

ask the administrator to install expect and tcl.
(and give you acces to expect /usr/local/bin )

   tcl

and
expect

(tcl is a pre-requisite of expect pakage).

Note: You need to create a expect file and call expect -f my_expect1

Example of my_expect1

spawn telnet [lindex $argv 0]
expect "login: "
send "[lindex $argv 1]\r"
expect "Password: "
send "[lindex $argv 2]\r"
expect "Sun Microsystems Inc. SunOS 5.8 Generic February 2000"
send "passwd\r"
expect "Enter login password: "
send "[lindex $argv 2]\r"
expect "New password: "
send "[lindex $argv 3]\r"
expect "e-enter new password: "
send "[lindex $argv 3]\r"
expect eof

Note: To call

expect -f my_expect1 <server> <user_name> <old_passwd> <new_passwd>

also you need to make a script to cal the previous line giving the apropiate parameters.

IMPORTANT: Is convenient that anybody was login into the server,
because with a ps he can view your passwd.

Regards. Hugo.

My SA says he could install Expect/TCL on our development box, but would not be able to justify the install on our UAT & PROD servers. Providing a "convenience" to folks to synchronize passwords would not be considered justification to install software.... (And I have an extremely cooperative SA!).

Our technical organization recently merged with another "sister" technical group and their procedures are being inflicted on the rest of us. Also the auditors have been having a field day...hence the implementation of pasword rules, use of sudo, restrictions on FTP only accts, etc. etc.

The expect tool is a powerfull tool and can be used to automate diferents jobs, you need to use your imagination to give him the
benefits of install this tool.

ANYWAY you only need to install the tool in one server that have connectivity to the others.

from your development server

ksh script change_passwd.sh

#!/bin/ksh
for server in server1 server2 server3 ... servern
do
expect -f my_expect1 $server <login_name> $1 $2
sleep 5
done

----
call ./change_passwd.sh <old_passwd> <new_passwd>

Regards, Hugo.

Some clarification is in order from you...

Is this only for your personal passwords? And not for ALL users on all boxes?

And what do you mean by "synchronize" passwords. Are you using the SAME password on every box? That is not a very good standard for security... If your company is hot for security of passwords, they need to look into a product called SecurID. It is a one-time password with algorithm that is good for 4 years per user.

Also, if you have logons for all 15+ boxes, why can't you login to each and change them manully? I know that manual is not always the easiest way, but it may be the best way.

:wink:

He wants to automate the change of his user password in many servers. And for that reason I suggested him the expect tool.

but, for security concerns, he need to consider the modification of the script to insert crypt; or use the "interact" an a loop into the expect program (to capture the old and new passwd.

Hugo.

Let me just say. I am an SA and currently manage 17 boxes and I am the backup SA for 10 other boxes.

I have no problem with maintaining multiple passwords as root on my 17 systems... and they all have different unique passwords.

I change my passwds every 60 days now. We used to have a policy to change passwds every 30 days, but that created too much havoc for the users.

Also, it is somewhat of a breech in security to maintain the SAME password, even for a user, on 15 different boxes. I don't think I need to mention what would happen if someone knew that and got this user's passwd.

I am not trying to point fingers at anyone, but I am just trying to be a voice of clarity here. Hopefully I have succeeded in that goal.

"Laxity breeds contempt... Perseverance breeds awareness..."

:slight_smile:

I agree, but in some cases the uses of a single-sign on combined
with a token card like securID (RSA) avoids to have a privileged memory.

Regards. Hugo.

In response to your comment "I am an SA and currently manage 17 boxes and I am the backup SA for 10 other boxes. I have no problem with maintaining multiple passwords as root on my 17 systems... and they all have different unique passwords. I change my passwds every 60 days now."

I have to disagree with you, I think there is more risk because most people would have to write down their passwords somewhere which is a larger risk for a breech.

I manage over 40 boxes and our passwords expire every 30 days. I dont have to tell you how much time it takes to change them on each one, especially with our busy schedules. In addition to the other 20 passwords we have for other systems and apps, there is no way for me to have different passwords for each box, change them every 30 days and not be able to reuse them except every 5th password change.

I think having my password in my head which would not make sence to anyone is alot more secure than having to write them down. I am also looking for a way to automate changing passwords on multiple boxes to save time.

changepass automate password changes on multiple systems

ha ha!

..at one point in my career, back in 1999 at a .com data center, I had 1273 servers under my administration (with 5 other guys). I would've loved to see users' faces after telling them "you have to learn 1200+ passwds"...

...anyway...

... first thing I'd ask is if ftp, telnet, rlogin, and/or rsh are enabled. If they are, I think it is a waste of time to be changing passwds.

As for automating passwd mgt without a tool like LDAP, well, there are many ways you can do that. I use expect extensively - together with ssh - and you only need one install of it.