Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Changing Password on Multiple LPARs 4

Status
Not open for further replies.

khalidaaa

Technical User
Jan 19, 2006
2,323
BH
AIXers,

How can i change my password of multiple LPARs given that ssh is already configured between those LPARs not to prompt for password on login?

I have 16 LPARs and it is a headache to change each one's root password at a time!

Thanks.

Regards,
Khalid
 
Have you considered using ldap?

You could also script this with expect and to make it really easy use autoexpect which just records everything you type and turns it into an executable script.

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
No we haven't considered LDAP!

and its my first time to hear about expect! Can you please give me something to read about this?

Thanks for the nice comment Mike.

Regards,
Khalid
 
My answer to this is to use a C program
Code:
/*******************************************************
* setpass                                              *
* sets AIX passwords in batch mode                     *
* options                                              *
*  -u <username>  Username of password to set          *
*  -t <timestamp> last amended time - defaults to      *
*                 current time                         *
*  -p <password>  password in plain text               *
*  -e <encrypted password> encrypted password          *
*  -a             enforce password change              *
*  The -e and -p optins are mutually exclusive         *
*******************************************************/

#include <stdio.h>
#include <usersec.h>
#include <userpw.h>
#include <pwd.h>
#include <crypt.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>

#define nogood(c) ((! isupper(c))&&(!isdigit(c))&&(c!='.')&&(c!='/'))

char *myencrypt ( char *pword )
  {
  char salt[2];
  time_t T;
  int i;

  T = time ( &T );
  srandom ( ( time (&T) % 32786 ) + getpid() );
  for ( i = 0; i < 2; i++ )
    {
    do
      {
      salt[i] = (char)random() & 0x007F;
      }
      while ( nogood ( salt[i] ) );
    }
  return ( crypt ( pword, salt ) );
  }

void print_usage ( char *progname, char *message, int exit_value )
  {
  fprintf ( stderr, "%s\nUsage:- %s \n\t-u <username> \n\t-p <plain text password string> | -e <encrypted password string> \n\t[-t <timestamp>]\n\t[-a]\n", message, progname );
  fprintf ( stderr, "\tIf the -t flag is not set current time is used\n" );
  fprintf ( stderr, "\t-a flag enforces password change at next login\n" );
  exit (exit_value);
  }

extern int errno;
extern char *optarg;

main(int argc, char *argv[])
{

  struct passwd   pw;
  struct userpw  *upw;
  char          **msgp;
  time_t          T;
  int             c;
  int            nUID;
  int            iAflag = 0;
  char           *uname = NULL;
  char           *pword = NULL;
  char           *cpword = NULL;
  char           *tstamp = NULL;

  if ( getuid() != 0 )
    print_usage ( argv[0], "You must be root to use this", 1 );

  while ( ( c = getopt ( argc, argv, "u:p:t:e:a" ) ) != EOF )
    {
    switch (c)
      {
      case 'u' :
        uname = optarg;
        break;
      case 'e' :
        pword = optarg;
        break;
      case 'p' :
        cpword = optarg;
        break;
      case 't' :
        tstamp = optarg;
        break;
      case 'a' :
        iAflag = 1;
        break;
      case '?' :
        print_usage ( argv[0], "Unknown option", 1 );
        break;
      }
    }

  if ( ! uname )
    print_usage ( argv[0], "No user name specified", 1 );

  if ( ( ! pword ) && ( ! tstamp ) && ( ! cpword ) )
   print_usage ( argv[0], "At least one of password or timestamp must be specified", 1 );

  if ( pword && cpword )
    print_usage ( argv[0], "Either clear password OR encrypted password may be used", 1 );

  if ((setuserdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/passwd for writing", 1 );
  if ((setpwdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/security/passwd for writing", 1 );

  if ((getuserattr ( uname, S_ID, &nUID, SEC_INT )) != 0 )
    {
    if (errno == ENOENT)
      print_usage ( argv[0], "No entry for this user", 1 );
    else
      print_usage ( argv[0], "Unknown error editing /etc/passwd", 1 );
    }
/*
  if ( nUID < 1000 )
    {
    print_usage ( argv[0], "This facility is only valid for non privileged users", 1 );
    }
*/
  if ((putuserattr ( uname, S_PWD, "!", SEC_CHAR)) != 0)
    {
    if (errno == ENOENT)
      print_usage ( argv[0], "No entry for this user", 1 );
    else
      print_usage ( argv[0], "Unknown error editing /etc/passwd", 1 );
    }

  if ((putuserattr ( uname, S_ID, "0", SEC_COMMIT)) != 0)
    print_usage ( argv[0], "Unable to commit chages to /etc/passwd", 1 );

  if ( ( upw = getuserpw ( uname ) ) == NULL )
    print_usage ( argv[0], "Unable to get user details", 1 );
  if ( pword )
    upw->upw_passwd = pword;
  if ( cpword )
    upw->upw_passwd = myencrypt ( cpword );
  if ( tstamp )
    upw->upw_lastupdate = (time_t) atol ( tstamp );
  else
    upw->upw_lastupdate = (time_t ) time ( &T );
  if ( iAflag )
    upw->upw_flags = PW_ADMCHG;

  if ((putuserpwhist ( upw, msgp)) != 0)
    print_usage ( argv[0], "Unable to update /etc/security/passwd", 1 );
  if ((enduserdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/passwd", 1 );
  if ((endpwdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/security/passwd", 1 );
  }
Compile this and release it to all your lpars
Then
Code:
for host in host1 host2 host3 host4
do
  ssh $host /usr/local/bin/setpass -u root -p Secret01
done

Ceci n'est pas une signature
Columb Healy
 
Hi columb.

I've just seen your message! thanks for the nice coding but the thing is we don't have the c-compiler installed on our servers! and i've never installed one! Do you know how and where i can find one?

Regards,
Khalid
 
The easiest is to install gcc which is on the Linux extras CD that we got with our AIX 5.1 systems.


Ceci n'est pas une signature
Columb Healy
 
Mike,

here is what i got when i tried installing expect!

Code:
# rpm -ivh expect-5.34-8.aix4.3.ppc.rpm
error: failed dependencies:
        libtcl8.3.so is needed by expect-5.34-8
        libtk8.3.so is needed by expect-5.34-8

any idea how to come over this???

Regards,
Khalid
 
columb,

Could you remind you of how to compile a c script :) I did this long time ago in the Univ!

Thanks.

Regards,
Khalid
 
That's what i tried!

Code:
# gcc setpass
ld: 0711-715 ERROR: File setpass cannot be processed.
        The file must be an object file, an import file, or an archive
collect2: ld returned 8 exit status

Code:
# setpass -u root -p khalid
setpass: /WebSM.pref: 0403-006 Execute permission denied.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
A file or directory in the path name does not exist.
setpass[5]: username: 0403-016 Cannot find or open the file.
A file or directory in the path name does not exist.
setpass[6]: timestamp: 0403-016 Cannot find or open the file.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
A file or directory in the path name does not exist.
setpass[8]: password: 0403-016 Cannot find or open the file.
A file or directory in the path name does not exist.
setpass[9]: encrypted: 0403-016 Cannot find or open the file.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
setpass[12]: bkuptest/: 0403-006 Execute permission denied.
setpass[24]: 0403-057 Syntax error at line 24 : `(' is not expected.

Sorry if this is too obvious! My c knowledge is rusty a bit!

Regards,
Khalid
 
Assuming you have gcc installed
[ol]
[li]Copy the code into a file called 'setpass.c'[/li]
[li]run 'export CC=gcc'[/li]
[li]run 'make setpass'[/li]
[/ol]You should now have a binary called 'setpass' whioh you can copy to your various systems.

Ceci n'est pas une signature
Columb Healy
 
Khalid,

To compile a program use

gcc -o <Program Name> <Source file(s)>

i.e. gcc -o test test.c

Before going down the `c` route, please consider the following future problems.

1. Loosing source code, as once this has a occurred it very difficult to change the functionality of the program.

2. If IBM change any of the header files and/or lib files in a ML update, you may have to recompile and/or recode it. I have just expereniced this problem with the Tivoli Monitoring where previous they supplied supporting `c` headers and replaced it with java libs in new versions of Tivoli! Hence, had to recode are in-house Tivoli programs into java!

If you use Expect you wouldn't get the above problems as it sits above the OS.

By the way you have to install TCL/TK to get expect working.


Brian
 
Install TCL and TK; They should be on the Linux Tools CD or get them from the IBM site.




Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
columb,

That's what i did and here is what i got!

Code:
# mv setpass setpass.c
# export CC=gcc
# make setpass
        gcc -O  setpass.c -o setpass
# setpass -u root -p khalid
Segmentation fault(coredump)

Any idea why?

Mike and Brian,

Thanks for your comments! I'm now trying to install the tcl and tk. I will let you know what will happen soon!

Regards,
Khalid
 
Guys,

I was able to install the expect at last! but now i'm trying to use it as follows:

Code:
# chpasswd.scr
ksh: chpasswd.scr:  not found.
# cat chpasswd.scr
#!/usr/local/bin/expect

spawn passwd exptest
set password khalid12
expect "*password:*"
sleep 1
send "$password\r"
expect "*password again:*"
sleep 1
send "$password\r"
expect eof
# . chpasswd.scr
ksh: spawn:  not found.
couldn't read file "*password:*": no such file or directory
I'm going to create the standard MH path for you.
send: unable to stat draft file //Mail/\r: A file or directory in the path name
does not exist.
couldn't read file "*password again:*": no such file or directory
send: unable to stat draft file //Mail/\r: A file or directory in the path name
does not exist.
couldn't read file "eof": no such file or directory

Any body can suggest how to use this now!?!

Thanks

Regards,
Khalid
 
I made some changes to the file but still doesn't work!

Code:
# cat chpasswd.scr
#!/usr/bin/expect

spawn passwd admkay
set password khalid12
expect "*password:*"
sleep 1
send "$password\r"
expect "*password again:*"
sleep 1
send "$password\r"
expect eof

Regards,
Khalid
 
Thanks guys for the help!

I finally got it working!

I used autoexpect :)

# autoexpect -f mypass2 passwd admkay

and here is mypass2 file

Code:
# cat mypass2
#!/usr/bin/expect -f
#
# This Expect script was generated by autoexpect on Thu Nov 29 16:25:08 2007
# Expect and autoexpect were both written by Don Libes, NIST.
#
# Note that autoexpect does not guarantee a working script.  It
# necessarily has to guess about certain things.  Two reasons a script
# might fail are:
#
# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
# etc.) and devices discard or ignore keystrokes that arrive "too
# quickly" after prompts.  If you find your new script hanging up at
# one spot, try adding a short sleep just before the previous send.
# Setting "force_conservative" to 1 (see below) makes Expect do this
# automatically - pausing briefly before sending each character.  This
# pacifies every program I know of.  The -c flag makes the script do
# this in the first place.  The -C flag allows you to define a
# character to toggle this mode off and on.

set force_conservative 0  ;# set to 1 to force conservative mode even if
                          ;# script wasn't run conservatively originally
if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
                sleep .1
                exp_send -s -- $arg
        }
}

#
# 2) differing output - Some programs produce different output each time
# they run.  The "date" command is an obvious example.  Another is
# ftp, if it produces throughput statistics at the end of a file
# transfer.  If this causes a problem, delete these patterns or replace
# them with wildcards.  An alternative is to use the -p flag (for
# "prompt") which makes Expect only look for the last line of output
# (i.e., the prompt).  The -P flag allows you to define a character to
# toggle this mode off and on.
#
# Read the man page for more info.
#
# -Don


set timeout -1
spawn passwd admkay
match_max 100000
expect -exact "Changing password for \"admkay\"\r
admkay's New password: "
send -- "khalid123\r"
expect -exact "\r
Enter the new password again:"
send -- "khalid123\r"
expect eof

I will try it on root :) and the rest of the LPARs.

Stars for every body :)

Regards,
Khalid
 


Try -

rpm -ql expect-5.34-8 |grep `passmass` on one of you Aix servers. It should be located in `/opt/freeware/bin/`. Then vi this file.


No need to c code now.


Brian
 
Khalid

You tried
Code:
# mv setpass setpass.c
# export CC=gcc
# make setpass
        gcc -O  setpass.c -o setpass
# setpass -u root -p khalid
Segmentation fault(coredump)
Do you have '.' in your path?
What happens when you try
Code:
./setpass -u root -p khalid
What version of AIX are you on?

Ceci n'est pas une signature
Columb Healy
 
Would still look at setting up an LDAP server, much more secure...

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top