Shell Programming and Scripting

He wants to automate the change of his user password in many servers. And for that reason I suggested him the expect tool.

but, for security concerns, he need to consider the modification of the script to insert crypt; or use the "interact" an a loop into the expect program (to capture the old and new passwd.

Hugo.

Let me just say. I am an SA and currently manage 17 boxes and I am the backup SA for 10 other boxes.

I have no problem with maintaining multiple passwords as root on my 17 systems... and they all have different unique passwords.

I change my passwds every 60 days now. We used to have a policy to change passwds every 30 days, but that created too much havoc for the users.

Also, it is somewhat of a breech in security to maintain the SAME password, even for a user, on 15 different boxes. I don't think I need to mention what would happen if someone knew that and got this user's passwd.

I am not trying to point fingers at anyone, but I am just trying to be a voice of clarity here. Hopefully I have succeeded in that goal.

"Laxity breeds contempt... Perseverance breeds awareness..."

I agree, but in some cases the uses of a single-sign on combined
with a token card like securID (RSA) avoids to have a privileged memory.

Regards. Hugo.

In response to your comment "I am an SA and currently manage 17 boxes and I am the backup SA for 10 other boxes. I have no problem with maintaining multiple passwords as root on my 17 systems... and they all have different unique passwords. I change my passwds every 60 days now."

I have to disagree with you, I think there is more risk because most people would have to write down their passwords somewhere which is a larger risk for a breech.

I manage over 40 boxes and our passwords expire every 30 days. I dont have to tell you how much time it takes to change them on each one, especially with our busy schedules. In addition to the other 20 passwords we have for other systems and apps, there is no way for me to have different passwords for each box, change them every 30 days and not be able to reuse them except every 5th password change.

I think having my password in my head which would not make sence to anyone is alot more secure than having to write them down. I am also looking for a way to automate changing passwords on multiple boxes to save time.

changepass automate password changes on multiple systems

ha ha!

..at one point in my career, back in 1999 at a .com data center, I had 1273 servers under my administration (with 5 other guys). I would've loved to see users' faces after telling them "you have to learn 1200+ passwds"...


...anyway...

... first thing I'd ask is if ftp, telnet, rlogin, and/or rsh are enabled. If they are, I think it is a waste of time to be changing passwds.

As for automating passwd mgt without a tool like LDAP, well, there are many ways you can do that. I use expect extensively - together with ssh - and you only need one install of it.