Changing Password on Multiple LPARs 4

[khalidaaa]

AIXers,

How can i change my password of multiple LPARs given that ssh is already configured between those LPARs not to prompt for password on login?

I have 16 LPARs and it is a headache to change each one's root password at a time!

Thanks.

Regards,
Khalid

 

[mrn]

Have you considered using ldap?

You could also script this with expect and to make it really easy use autoexpect which just records everything you type and turns it into an executable script.

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[khalidaaa]

No we haven't considered LDAP!

and its my first time to hear about expect! Can you please give me something to read about this?

Thanks for the nice comment Mike.

Regards,
Khalid

 

[columb]

My answer to this is to use a C program

/*******************************************************
* setpass                                              *
* sets AIX passwords in batch mode                     *
* options                                              *
*  -u <username>  Username of password to set          *
*  -t <timestamp> last amended time - defaults to      *
*                 current time                         *
*  -p <password>  password in plain text               *
*  -e <encrypted password> encrypted password          *
*  -a             enforce password change              *
*  The -e and -p optins are mutually exclusive         *
*******************************************************/

#include <stdio.h>
#include <usersec.h>
#include <userpw.h>
#include <pwd.h>
#include <crypt.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>

#define nogood(c) ((! isupper(c))&&(!isdigit(c))&&(c!='.')&&(c!='/'))

char *myencrypt ( char *pword )
  {
  char salt[2];
  time_t T;
  int i;

  T = time ( &T );
  srandom ( ( time (&T) % 32786 ) + getpid() );
  for ( i = 0; i < 2; i++ )
    {
    do
      {
      salt[i] = (char)random() & 0x007F;
      }
      while ( nogood ( salt[i] ) );
    }
  return ( crypt ( pword, salt ) );
  }

void print_usage ( char *progname, char *message, int exit_value )
  {
  fprintf ( stderr, "%s\nUsage:- %s \n\t-u <username> \n\t-p <plain text password string> | -e <encrypted password string> \n\t[-t <timestamp>]\n\t[-a]\n", message, progname );
  fprintf ( stderr, "\tIf the -t flag is not set current time is used\n" );
  fprintf ( stderr, "\t-a flag enforces password change at next login\n" );
  exit (exit_value);
  }

extern int errno;
extern char *optarg;

main(int argc, char *argv[])
{

  struct passwd   pw;
  struct userpw  *upw;
  char          **msgp;
  time_t          T;
  int             c;
  int            nUID;
  int            iAflag = 0;
  char           *uname = NULL;
  char           *pword = NULL;
  char           *cpword = NULL;
  char           *tstamp = NULL;

  if ( getuid() != 0 )
    print_usage ( argv[0], "You must be root to use this", 1 );

  while ( ( c = getopt ( argc, argv, "u:p:t:e:a" ) ) != EOF )
    {
    switch (c)
      {
      case 'u' :
        uname = optarg;
        break;
      case 'e' :
        pword = optarg;
        break;
      case 'p' :
        cpword = optarg;
        break;
      case 't' :
        tstamp = optarg;
        break;
      case 'a' :
        iAflag = 1;
        break;
      case '?' :
        print_usage ( argv[0], "Unknown option", 1 );
        break;
      }
    }

  if ( ! uname )
    print_usage ( argv[0], "No user name specified", 1 );

  if ( ( ! pword ) && ( ! tstamp ) && ( ! cpword ) )
   print_usage ( argv[0], "At least one of password or timestamp must be specified", 1 );

  if ( pword && cpword )
    print_usage ( argv[0], "Either clear password OR encrypted password may be used", 1 );

  if ((setuserdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/passwd for writing", 1 );
  if ((setpwdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/security/passwd for writing", 1 );

  if ((getuserattr ( uname, S_ID, &nUID, SEC_INT )) != 0 )
    {
    if (errno == ENOENT)
      print_usage ( argv[0], "No entry for this user", 1 );
    else
      print_usage ( argv[0], "Unknown error editing /etc/passwd", 1 );
    }
/*
  if ( nUID < 1000 )
    {
    print_usage ( argv[0], "This facility is only valid for non privileged users", 1 );
    }
*/
  if ((putuserattr ( uname, S_PWD, "!", SEC_CHAR)) != 0)
    {
    if (errno == ENOENT)
      print_usage ( argv[0], "No entry for this user", 1 );
    else
      print_usage ( argv[0], "Unknown error editing /etc/passwd", 1 );
    }

  if ((putuserattr ( uname, S_ID, "0", SEC_COMMIT)) != 0)
    print_usage ( argv[0], "Unable to commit chages to /etc/passwd", 1 );

  if ( ( upw = getuserpw ( uname ) ) == NULL )
    print_usage ( argv[0], "Unable to get user details", 1 );
  if ( pword )
    upw->upw_passwd = pword;
  if ( cpword )
    upw->upw_passwd = myencrypt ( cpword );
  if ( tstamp )
    upw->upw_lastupdate = (time_t) atol ( tstamp );
  else
    upw->upw_lastupdate = (time_t ) time ( &T );
  if ( iAflag )
    upw->upw_flags = PW_ADMCHG;

  if ((putuserpwhist ( upw, msgp)) != 0)
    print_usage ( argv[0], "Unable to update /etc/security/passwd", 1 );
  if ((enduserdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/passwd", 1 );
  if ((endpwdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/security/passwd", 1 );
  }

Compile this and release it to all your lpars
Then

for host in host1 host2 host3 host4
do
  ssh $host /usr/local/bin/setpass -u root -p Secret01
done

Ceci n'est pas une signature
Columb Healy

 

[khalidaaa]

I just found these links on expect! it seems to be great! Thanks Mike. I will read through them and will come back to you with my findings

http://www.softpanorama.org/Utilities/expect.shtml

http://www.unix.com/aix/42467-problem-expect-eof.html

Regards,
Khalid

 

[khalidaaa]

Hi columb.

I've just seen your message! thanks for the nice coding but the thing is we don't have the c-compiler installed on our servers! and i've never installed one! Do you know how and where i can find one?

Regards,
Khalid

 

[columb]

The easiest is to install gcc which is on the Linux extras CD that we got with our AIX 5.1 systems.


Ceci n'est pas une signature
Columb Healy

 

[khalidaaa]

Mike,

here is what i got when i tried installing expect!

# rpm -ivh expect-5.34-8.aix4.3.ppc.rpm
error: failed dependencies:
        libtcl8.3.so is needed by expect-5.34-8
        libtk8.3.so is needed by expect-5.34-8

any idea how to come over this???

Regards,
Khalid

 

[khalidaaa]

columb,

Could you remind you of how to compile a c script I did this long time ago in the Univ!

Thanks.

Regards,
Khalid

 

[khalidaaa]

That's what i tried!

# gcc setpass
ld: 0711-715 ERROR: File setpass cannot be processed.
        The file must be an object file, an import file, or an archive
collect2: ld returned 8 exit status

# setpass -u root -p khalid
setpass: /WebSM.pref: 0403-006 Execute permission denied.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
A file or directory in the path name does not exist.
setpass[5]: username: 0403-016 Cannot find or open the file.
A file or directory in the path name does not exist.
setpass[6]: timestamp: 0403-016 Cannot find or open the file.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
A file or directory in the path name does not exist.
setpass[8]: password: 0403-016 Cannot find or open the file.
A file or directory in the path name does not exist.
setpass[9]: encrypted: 0403-016 Cannot find or open the file.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
README_v11.txt: Hello:  not found.
README_v11.txt[2]: This:  not found.
README_v11.txt[4]: This:  not found.
README_v11.txt[5]: But:  not found.
README_v11.txt[6]: If:  not found.
README_v11.txt[7]: accept:  not found.
README_v11.txt[9]: Please:  not found.
README_v11.txt[10]: 0403-057 Syntax error at line 10 : `(' is not expected.
setpass[12]: bkuptest/: 0403-006 Execute permission denied.
setpass[24]: 0403-057 Syntax error at line 24 : `(' is not expected.

Sorry if this is too obvious! My c knowledge is rusty a bit!

Regards,
Khalid

 

[columb]

Assuming you have gcc installed
[ol]
[li]Copy the code into a file called 'setpass.c'[/li]
[li]run 'export CC=gcc'[/li]
[li]run 'make setpass'[/li]
[/ol]You should now have a binary called 'setpass' whioh you can copy to your various systems.

Ceci n'est pas une signature
Columb Healy

 

[bdw238]

Khalid,

To compile a program use

gcc -o <Program Name> <Source file(s)>

i.e. gcc -o test test.c

Before going down the `c` route, please consider the following future problems.

1. Loosing source code, as once this has a occurred it very difficult to change the functionality of the program.

2. If IBM change any of the header files and/or lib files in a ML update, you may have to recompile and/or recode it. I have just expereniced this problem with the Tivoli Monitoring where previous they supplied supporting `c` headers and replaced it with java libs in new versions of Tivoli! Hence, had to recode are in-house Tivoli programs into java!

If you use Expect you wouldn't get the above problems as it sits above the OS.

By the way you have to install TCL/TK to get expect working.


Brian

 

[mrn]

Install TCL and TK; They should be on the Linux Tools CD or get them from the IBM site.




Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."

 

[khalidaaa]

columb,

That's what i did and here is what i got!

# mv setpass setpass.c
# export CC=gcc
# make setpass
        gcc -O  setpass.c -o setpass
# setpass -u root -p khalid
Segmentation fault(coredump)

Any idea why?

Mike and Brian,

Thanks for your comments! I'm now trying to install the tcl and tk. I will let you know what will happen soon!

Regards,
Khalid

 

[khalidaaa]

Guys,

I was able to install the expect at last! but now i'm trying to use it as follows:

# chpasswd.scr
ksh: chpasswd.scr:  not found.
# cat chpasswd.scr
#!/usr/local/bin/expect

spawn passwd exptest
set password khalid12
expect "*password:*"
sleep 1
send "$password\r"
expect "*password again:*"
sleep 1
send "$password\r"
expect eof
# . chpasswd.scr
ksh: spawn:  not found.
couldn't read file "*password:*": no such file or directory
I'm going to create the standard MH path for you.
send: unable to stat draft file //Mail/\r: A file or directory in the path name
does not exist.
couldn't read file "*password again:*": no such file or directory
send: unable to stat draft file //Mail/\r: A file or directory in the path name
does not exist.
couldn't read file "eof": no such file or directory

Any body can suggest how to use this now!?!

Thanks

Regards,
Khalid

 

[khalidaaa]

I made some changes to the file but still doesn't work!

# cat chpasswd.scr
#!/usr/bin/expect

spawn passwd admkay
set password khalid12
expect "*password:*"
sleep 1
send "$password\r"
expect "*password again:*"
sleep 1
send "$password\r"
expect eof

Regards,
Khalid

 

[khalidaaa]

Thanks guys for the help!

I finally got it working!

I used autoexpect

# autoexpect -f mypass2 passwd admkay

and here is mypass2 file

# cat mypass2
#!/usr/bin/expect -f
#
# This Expect script was generated by autoexpect on Thu Nov 29 16:25:08 2007
# Expect and autoexpect were both written by Don Libes, NIST.
#
# Note that autoexpect does not guarantee a working script.  It
# necessarily has to guess about certain things.  Two reasons a script
# might fail are:
#
# 1) timing - A surprising number of programs (rn, ksh, zsh, telnet,
# etc.) and devices discard or ignore keystrokes that arrive "too
# quickly" after prompts.  If you find your new script hanging up at
# one spot, try adding a short sleep just before the previous send.
# Setting "force_conservative" to 1 (see below) makes Expect do this
# automatically - pausing briefly before sending each character.  This
# pacifies every program I know of.  The -c flag makes the script do
# this in the first place.  The -C flag allows you to define a
# character to toggle this mode off and on.

set force_conservative 0  ;# set to 1 to force conservative mode even if
                          ;# script wasn't run conservatively originally
if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
                sleep .1
                exp_send -s -- $arg
        }
}

#
# 2) differing output - Some programs produce different output each time
# they run.  The "date" command is an obvious example.  Another is
# ftp, if it produces throughput statistics at the end of a file
# transfer.  If this causes a problem, delete these patterns or replace
# them with wildcards.  An alternative is to use the -p flag (for
# "prompt") which makes Expect only look for the last line of output
# (i.e., the prompt).  The -P flag allows you to define a character to
# toggle this mode off and on.
#
# Read the man page for more info.
#
# -Don


set timeout -1
spawn passwd admkay
match_max 100000
expect -exact "Changing password for \"admkay\"\r
admkay's New password: "
send -- "khalid123\r"
expect -exact "\r
Enter the new password again:"
send -- "khalid123\r"
expect eof

I will try it on root and the rest of the LPARs.

Stars for every body

Regards,
Khalid

 

[bdw238]

Try -

rpm -ql expect-5.34-8 |grep `passmass` on one of you Aix servers. It should be located in `/opt/freeware/bin/`. Then vi this file.


No need to c code now.


Brian

 

[columb]

Khalid

You tried

# mv setpass setpass.c
# export CC=gcc
# make setpass
        gcc -O  setpass.c -o setpass
# setpass -u root -p khalid
Segmentation fault(coredump)

Do you have '.' in your path?
What happens when you try

./setpass -u root -p khalid

What version of AIX are you on?

Ceci n'est pas une signature
Columb Healy

 

[mrn]

Would still look at setting up an LDAP server, much more secure...

Mike

"Whenever I dwell for any length of time on my own shortcomings, they gradually begin to seem mild, harmless, rather engaging little things, not at all like the staring defects in other people's characters."