/etc/shadow password change script

[ponetguy2]

#!/bin/sh

cp /etc/shadow /etc/shadow.copy.date

sed "s/^userldpassord.*/user:newpassword" /etc/shadow.copy.date> /etc/shadow"

/usr/bin/chmod 400 /etc/shadow

/usr/bin/chown root:sys /etc/shadow

exit

Will this work? I'm suppose to change the password to a certain user on a bunch of Solaris and Linux boxes. I was thinking of using fan_out to connect to multiple machines at a time.

I still need to figure out a way to log the failed and successfull changes. Any help will be appreciated.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[ponetguy2]

Nope. It did not work.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[ponetguy2]

Please help me with sed. How can I change the password section in /etc/shadow?

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[ponetguy2]

Fixed it. Here is the new script:

#!/bin/sh
#
# It sets the system's user password to the entry defined in PASSWD.

echo "setting password for user"

# set the user password
PASSWD=dTeamw8RPFvFE
/usr/bin/cp /export/home/scripts/shadow /export/home/scripts/shadow.orig
/usr/bin/sed -e "s/user:Hs4mx85gKHOBY:13594:/user:$PASSWD:13594:/" /export/home/scripts/shadow.orig > /export/home/scripts/shadow
/usr/bin/chmod 400 /export/home/scripts/shadow

The only thing I need to fix in this script is the sed search part. I want to replace any type of password by user to dTeamw8RPFvFE. I tried to use *, but it did not work. Please help.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[ponetguy2]

Okay. I'm almost there. This is the only line I'm having problems with:

/usr/bin/sed -e "s/user:.*:/user:$PASSWD:/" /export/home/scripts/shadow.orig > /export/home/scripts/shadow

Here is what happens:

Before:
user:Hs4mx85gKHOBY:13594:7:56:7:::

After:
user:dTeamw8RPFvFE:

I just want to change the password section. The ideal output should be like this:

user:dTeamw8RPFvFE:13594:7:56:7:::

Please help.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[kHz]

Try using awk. I am not the best awker and you will proably have to change the code below, but try something like this.

awk '/^Hs4mx85gKHOBY/ { $2 = "dTeamw8RPFvFE" }; \
{ print }' /etc/shadow > /etc/shadow.new

 

[kHz]

This should work.

awk '/^user/{gsub(/Hs4mx85gKHOBY/, "dTeamw8RPFvFE")};{print}'

 

[kHz]

Or if you actually have an * in field 2 then backslash it.

awk '/^user/{gsub(/\*/, "dTeamw8RPFvFE")};{print}'

 

[spamly]

I've been playing with perl recently.

OLD=Hs4mx85gKHOBY
NEW=dTeamw8RPFvFE
FILE=/etc/passwd

perl -pi -e "s/$OLD/$NEW/" $FILE

 

[spookie]

The regex is greedy and matching the last occurenece of : .
Try using non greedy pattern by using ?

something like

/usr/bin/sed -e "s/user:.*:?/user:$PASSWD:/" /export/home/scripts/shadow.orig > /export/home/scripts/shadow

Warning: code not tested.



--------------------------------------------------------------------------
I never set a goal because u never know whats going to happen tommorow.

 

[ponetguy2]

Thank you everyone for the help. I got the script to work on our Solaris servers, but I messed our Linux boxes. Luckily, I only did 10 boxes first and I bakced up the shadow file before running the script.

Here is the script which messed up the Linux boxes:

#!/bin/sh
echo "setting password for user"

# set the user password
PASSWD=passwordhere
/usr/bin/cp /export/home/scripts/passwords/shadow /export/home/scripts/passwords/shadow.orig
/usr/bin/sed -e "s/user:[^:]*\(.*\)/user:$PASSWD\1/" /export/home/scripts/passwords/shadow.orig > /export/home/scripts/passwords/shadow
/usr/bin/chmod 400 /export/home/scripts/passwords/shadow


"Not all OSs suck, it's just that some OSs suck worse than others"

 

[Annihilannic]

I would use awk as KHz suggested:

[tt]awk 'BEGIN { FS=OFS=":" } /^ant:/ { $2 = "newpassword" } 1' /export/home/scripts/passwords/shadow.orig > /export/home/scripts/passwords/shadow[/tt]

But if you prefer sed:

[tt]sed -e '/^user:/s/:[^:]*:/:newpassword:/' /export/home/scripts/passwords/shadow.orig > /export/home/scripts/passwords/shadow[/tt]

Annihilannic.

 

[ponetguy2]

Okay, I'll try awk, as KHz suggested.

However, this script should work with Solaris and RH, right? I ran this script on a Linux box and it zeroed the shadow file. Also, the cp portion did not work either. There was no backup copied in /tmp. Another question, will the encrypted password work for Linux and Solaris? I believe it should since crypt was used. The script worked for Solaris, but not with Linux.

Please advise.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[Annihilannic]

Solaris and Linux use different encryption methods, so the encrypted passwords will not be interchangeable.

I tested both of the solutions I pasted above on Solaris and Linux, however on Solaris you will need to use nawk because Sun are luddites.

Annihilannic.

 

[ponetguy2]

Here is my revised script:

#!/bin/sh

DATE=`date +%m%d%y`
PASSWD="newpasswordhere"

UNAME=`uname -s`

if [ "$UNAME" = "Linux" ]; then
cp /etc/shadow /etc/shadow.$DATE
/usr/sbin/usermod -p $PASSWD root
exit
fi

if [ "$UNAME" = "SunOS" ]; then
cp /etc/shadow /etc/shadow.$DATE
sed 's/^root:.*$/root:$PASSWD:13063::::::/' /etc/shadow > /tmp/shadow
mv /tmp/shadow /etc
chmod 400 /etc/shadow; chown root:root /etc/shadow
exit
fi

if [ "$UNAME" = "HP-UX" ]; then
cp /etc/passwd /etc/passwd.$DATE
sed 's/^root:.*$/root:$PASSWD:0:3::\/home\/root:\/sbin\/sh/' /etc/passwd > /tmp/passwd
mv /tmp/passwd /etc
chmod 444 /etc/passwd; chown root:sys /etc/passwd
exit
fi


Thank you to everyone who posted. Plus I'm not taking full credit for this script. My friend at work helped me out by giving me a few suggestions.

"Not all OSs suck, it's just that some OSs suck worse than others"

 

[maximusGeek]

For your question about logging failed attempts....

you can use syslog to do that

/etc/syslog.conf

auth.info /var/log/authlog