Infrastructure Monitoring

Hello,

Many thanks for the script posted by Perderabo. I came across it many years ago, and it was an immense help in automating a password change on a number of servers and for a number of accounts on those servers.

Now, I am in need of a script to do the same thing using SSH since our Unix Admins have disabled the Telnet process and are forcing only SSH access.

Searching this web site and the internet for any assistance, it plainly became clear that the 'expect' package was the only solution that would do something similar to Perderabo's script.

But,

I had setup SSH authentication, copying the source servers RSA tokens to the destination servers authorized_keys file.

I changed Perderabo's script to have just the two sections - 0 and 2. 0 to set the script up, request passwords, etc. and 2 to do the actual password change.

I then changed 'telnet' to be 'ssh -t -t' and removed the USER and OLDPASS prints, since they are not needed due to the SSH automated authentication.

This works for me ... it will connect via SSH to the destination server and does the password change.

Perderabo
Unix Daemon

Hi Perderabo

The script is really great. But in my system the option print -p and telnet is not working. I only have ssh and sftp enabled in the system.

This is working in Linux but not in solaris.
(sleep1; echo $OLD; sleep 1; echo $NEW; sleep 1; echo $NEW;sleep 1) | passwd

Is there any other way to do this in solaris......

Hi Perderabo

It is really a good script. In my machine print -p and telnet are not working. I am having sftp and ssh to write this type of script. I tried changing your script and implement it, but its not working. Is there any other way to change the password on multiple SunOS machines.


The below command is working fine in Linux but not in SunOS.
(sleep1; echo $OLD; sleep 1; echo $NEW; sleep 1; echo $NEW; sleep 1) | passwd.


Could you please advice.

"print -p" is a built-in command in the Korn shell. It will work only if there is a coprocess running otherwise it will produce an error message. In fact it sends the output of a print-command to the running coprocess as input to stdin. (likewise "read -p" will read from the coprocesses stdout)

If you try this script with bash (or any other shell) it won't work because most shells lack the coprocess facility.

The reason why simple redirections to/from passwd do not work on most systems is that passwd clears stdin upon start to enforce real, physical keyboard input. It was designed this way with security in mind. Setting passwords via scripts is always a probable security hazard.

I hope this helps.

bakunin

I do agree with you. But I executed this portion and I got the problem like this
I have Generating public/private rsa key pair using this (ssh-keygen -t rsa)
I am using ssh here to change the password after loging into that HOST.
But it is throwing me the error saying

passwdChg.ksh[19]: print: no query process
passwdChg.ksh[21]: print: no query process
passwdChg.ksh[23]: print: no query process
passwdChg.ksh[25]: print: no query process
passwdChg.ksh[27]: print: no query process

I can see the coprocess is running in line #17. But I could not understand why I getting the above error.

####################
1 #! /usr/bin/ksh
2
3 HOSTLIST="test1 test2"
4 DELAY=3
5 stty -echo
6 print -n Enter Old Password-
7 read OLDPASS
8 print
9 print -n Enter New Password-
10 read NEWPASS
11 print
12 stty echo
13 USER=$(whoami)
14 exec 4>&1
15
16 for HOST in $HOSTLIST ; do
17 ssh -t -t $USER@$HOST >&4 2>&4 |&
18 sleep $DELAY
19 print -p passwd
20 sleep $DELAY
21 print -p $OLDPASS
22 sleep $DELAY
23 print -p $NEWPASS
24 sleep $DELAY
25 print -p $NEWPASS
26 sleep $DELAY
27 print -p exit
28 wait
29 done
30 exit 0


Could you please advice???

Thanks
Siddharth

The problem seems to be with the ssh command. My ssh book seems to imply that -t only works with a command but I tried using ksh and it still fails.

This works:
echo env | ssh user@host ksh

This fails:
echo env | ssh -t -t user@host ksh

I don't know why the latter fails. But I think that is the crux of your problem.

Hi Guys,

With all respect to Perderabo script - great job = THANKS, in case anybody use Secure CRT to ssh/telent, the latest version 6.2.1 has a feature called Chat window which allow you to run the same command on multiple servers.

This feature will do the job for you if you have the same users on all servers.

Cheers,
Dani

Hi Perderabo

I am trying this script in Solaris 5.10. First of all I am trying to change the password for the local SunoS 5.10 server. But with the below error.

Command:
--------------
( sleep 6 && echo $OLDPASS >&0 ;sleep 6 && echo $NEWPASS >&0 ;sleep 6 && echo $NEWPASS >&0 )|passwd

Error
-------------
passwd: Sorry, wrong passwd
Permission denied

######################

I have update the the following..

exec 4>&1
exec 0>&4
for HOST in $HOSTLIST ; do
exec >&4
exec 2>&4
ksh |&
sleep $DELAY
print -p $USER
sleep $DELAY
print -p $OLDPASS
sleep $DELAY
print -p passwd
sleep $DELAY
print -p $OLDPASS
sleep $DELAY
print -p $NEWPASS
sleep $DELAY
print -p $NEWPASS
sleep $DELAY
print -p exit
wait
exec 4>&-
done

Error:
------------

ksh: user : not found
ksh[2]: OldPass: not found
passwd: Changing password for user
Enter existing login password:
passwd: Sorry, wrong passwd
Permission denied
ksh[4]: OldPass : not found
ksh[5]: NewPass : not found
ksh[6]: NewPass : not found

I think the output is not going properly to the input of passwd in the aboce part...

Could you pelase advice????