How to update my account password on 100 unix server ? 1

[bolobaboo]

Hi
We have over 100 unix servers. They include linux,solaris,aix,hp and sgi. I use telnet for some and ssh for rest. Note: none of this server has expect which i can use to update.So i am looking for expert who can help me with their script or guide me write KSH script to automate this.
Thank you very much inadvance.

 

[elgrandeperro]

Which DON"T have ssh? That is pretty standard, principally for security.

Then you can use public/private keys.

 

[bolobaboo]

Hi
elgraneperro
Some old AIX system don't have ssh. So i use telent. Is there way i can use KSH and then use ssh or telnet to update password ?

 

[Annihilannic]

You only need to install expect on the one system where you will be running your script.

I used to do a similar thing, and had some logic in my expect script to use an appropriate protocol depending on the hostname, as at the time we had legacy systems and network devices which didn't support SSH.

Annihilannic.

 

[elgrandeperro]

Look at the passmass example in the expect distro. It supports telnet/ssh/rlogin.

http://expect.nist.gov/

 

[bolobaboo]

Hi
Annihilannic
I am hard time scripting. Would you share ur script with me ?

 

[bolobaboo]

I am hard time finding expect for windows. Does anybody has this ?
Thank you

 

[KenCunningham]

Does your internet support Google ;-)

http://expect.nist.gov/

I want to be good, is that not enough?

 

[columb]

If ALL the servers are AIX and you have root access and you have a 'C' compiler then compile this code

/*******************************************************
* setpass                                              *
* sets AIX passwords in batch mode                     *
* options                                              *
*  -u <username>  Username of password to set          *
*  -t <timestamp> last amended time - defaults to      *
*                 current time                         *
*  -p <password>  password in plain text               *
*  -e <encrypted password> encrypted password          *
*  The -e and -p optins are mutually exclusive         *
*******************************************************/
 
#include <stdio.h>
#include <usersec.h>
#include <userpw.h>
#include <pwd.h>
#include <crypt.h>
#include <errno.h>
#include <sys/time.h>
#include <sys/types.h>
 
#define nogood(c) ((! isupper(c))&&(!isdigit(c))&&(c!='.')&&(c!='/'))
 
char *myencrypt ( char *pword )
  {
  char salt[2];
  time_t T;
  int i;
 
  T = time ( &T );
  srandom ( ( time (&T) % 32786 ) + getpid() );
  for ( i = 0; i < 2; i++ )
    {
    do
      {
      salt[i] = (char)random() & 0x007F;
      }
      while ( nogood ( salt[i] ) );
    }
  return ( crypt ( pword, salt ) );
  }
 
void print_usage ( char *progname, char *message, int exit_value )
  {
  fprintf ( stderr, "%s\nUsage:- %s \n\t-u <username> \n\t-p <plain text password string> | -e <encrypted password string> \n\t-t <timestamp>\n", message, progname );
  exit (exit_value);
  }
 
extern int errno;
extern char *optarg;
 
main(int argc, char *argv[])
{
 
  struct passwd   pw;
  struct userpw  *upw;
  char          **msgp;
  time_t          T;
  int             c;
  char           *uname = NULL;
  char           *pword = NULL;
  char           *cpword = NULL;
  char           *tstamp = NULL;
 
  if ( getuid() != 0 )
    print_usage ( argv[0], "You must be root to use this", 1 );
 
  while ( ( c = getopt ( argc, argv, "u:p:t:e:" ) ) != EOF )
    {
    switch (c)
      {
      case 'u' :
        uname = optarg;
        break;
      case 'e' :
        pword = optarg;
        break;
      case 'p' :
        cpword = optarg;
        break;
      case 't' :
        tstamp = optarg;
        break;
      case '?' :
        print_usage ( argv[0], "Unknown option", 1 );
        break;
      }
    }
 
  if ( ! uname )
    print_usage ( argv[0], "No user name specified", 1 );
 
  if ( ( ! pword ) && ( ! tstamp ) && ( ! cpword ) )
   print_usage ( argv[0], "At least one of password or timestamp must be specified", 1 );
 
  if ( pword && cpword )
    print_usage ( argv[0], "Either clear password OR encrypted password may be used", 1 );
  
  if ((setuserdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/passwd for writing", 1 );
  if ((setpwdb (S_WRITE)) != 0)
    print_usage ( argv[0], "Unable to open /etc/security/passwd for writing", 1 );
 
  if ((putuserattr ( uname, S_PWD, "!", SEC_CHAR)) != 0)
    {
    if (errno == ENOENT)
      print_usage ( argv[0], "No entry for this user", 1 );
    else
      print_usage ( argv[0], "Unknown error editing /etc/passwd", 1 );
    }
 
  if ((putuserattr ( uname, S_ID, "0", SEC_COMMIT)) != 0)
    print_usage ( argv[0], "Unable to commit chages to /etc/passwd", 1 );
  
  if ( ( upw = getuserpw ( uname ) ) == NULL )
    print_usage ( argv[0], "Unable to get user details", 1 );
  if ( pword )
    upw->upw_passwd = pword;
  if ( cpword )
    upw->upw_passwd = myencrypt ( cpword );
  if ( tstamp )
    upw->upw_lastupdate = (time_t) atol ( tstamp );
  else
    upw->upw_lastupdate = (time_t ) time ( &T );
 
  if ((putuserpwhist ( upw, msgp)) != 0)
    print_usage ( argv[0], "Unable to update /etc/security/passwd", 1 );
  if ((enduserdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/passwd", 1 );
  if ((endpwdb ()) != 0)
    print_usage ( argv[0], "Unable to close /etc/security/passwd", 1 );
  }

and install it in, for example, /usr/local/bin.

Then, to change your password all you need to do is run

/usr/local/bin/setpass -u root -p passw0rd

You can even do

for host in host1 host2 host3 host4
do
  ssh $host /usr/local/bin/setpass -u root -p passw0rd
done

although you may have to be a bit canny about proper passwords which include punctuation characters.


On the internet no one knows you're a dog

Columb Healy

 

[bolobaboo]

Thank you
Columb
But we have mixture of all flavor.

 

[PHV]

We have over 100 unix servers
...
I am hard time scripting

Hire a real sysadmin.

 

[chipperMDW]

To address the underlying problem here, I'd suggest you look into using a directory service like NIS+ or LDAP.

 

[SamBones]

A star to PHV for posting the best solution so far.