[olug] remote password changes

Dave Weis djweis at internetsolver.com
Wed May 31 18:34:34 UTC 2006


On Wed, 31 May 2006, Daniel Pfile wrote:
> Sorry guys, I don't think you can pass the password on the command
> line. passwd is interactive only. You could use an expect script to
> do it.

There is a --stdin switch on passwd on my machine, so you could do
echo badpassword | passwd --stdin root

> On May 31, 2006, at 12:59 PM, Will Langford wrote:
>
>> Without user security being a big issue, using rsh or ssh to do the
>> passwd
>> command would fit the bill without extra abstraction to hide password
>> changes.  To rehash rsh / ssh ways of doing it:
>>
>> rsh remote.machine.com passwd username new-password
>> ssh remote.machine.com passwd username new-password
>>
>> The user you're rsh/ssh'ing from will need to have sufficient
>> priveleges on
>> the remote machine in order to change that person's password (unsecure
>> example: doing the rsh/ssh as root, with PermitRootLogin set to
>> true in
>> /etc/ssh/sshd_config on the target system).
>>
>> To avoid password prompts for the ssh/rsh logins, key usage would
>> be highly
>> suggested.
>>
>> Lastly, I'm not entirely sure how to check the return value of the
>> command
>> executed to see if it changed the password properly.  If you need
>> to check
>> if the password was changed or not.... just bug us about it.
>>
>> -----
>>
>> In response to Ryan Stille's mysql 'ps aux' hiding by mysql... a
>> program can
>> change it's 'command line' shown in 'ps aux', and some security
>> conscious
>> coders look for password switches / passwords in the command line
>> and blank
>> them out manually.  I've done similar under linux in C a year or
>> two ago,
>> but forgot the details.  If any coder is curious, just bug me and
>> I'll dig
>> up the sauce.
>>
>> -Will
>>
>> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net> wrote:
>>>
>>> Hi Will,
>>>
>>> Security isn't a major concern, all of the machines are in an
>>> isolated
>>> network.  Mainly I would like to be able to have a list of servers
>>> and
>>> reference that list with a script that would then ssh to each in
>>> turn and
>>> change one users password on each.
>>> I don't relish the idea of spending all day ssh'ing to each
>>> machine to do
>>> this by hand.
>>>
>>> I will be experimenting with your ideas today.  Thanks!
>>>
>>> ---- Will Langford <unfies at gmail.com> wrote:
>>>> not overly secure, but you can either have a sudo account that
>>>> you log
>>>> into... and have your ssh connection spawn a password change
>>>> script...
>>> ie:
>>>>
>>>> ssh passchangeuser at host password_change.sh targetuser targetpassword
>>>>
>>>> Where password_change.sh is a front end to passwd.
>>>>
>>>> Naturually, if you're concerned about `ps aux` on either server (ppl
>>> seeing
>>>> the running processes), you'll need to have some kind of
>>>> encryption+ascii_conversion package for the "targetpassword"
>>>> parameter
>>>> (rather than passing the plain text).  A simple and not so effective
>>> example
>>>> would be to pass it through rot13 on both ends.
>>>>
>>>> Another option is to do an scp to passchangeuser's account that
>>>> puts a
>>> file
>>>> (say, that's named targetuser and contains the new password
>>>> inside) in a
>>>> special directory (/home/passchangeuser/newinfo ?) and a cron
>>>> task that
>>>> constantly looks for new files in that directory and does the passwd
>>> command
>>>> to change things as appropriate.  This way the user's password isn't
>>>> transfered plain text and you don't have to worry about `ps aux`
>>>> people.
>>>>
>>>> No script examples in this email, kinda too busy to actually go
>>>> about a
>>> full
>>>> blown example.
>>>>
>>>> -Will
>>>>
>>>>
>>>> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net > wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> I am trying to write a script that will reference a list of machine
>>> names
>>>>> and then connect to each one through ssh to change a users
>>>>> password.
>>>>>
>>>>> SSH can connect to each server without prompting for a password
>>>>> (authorized_keys).
>>>>> I am not a very good script writer, so any help would be greatly
>>>>> appreciated.
>>>>>
>>>>> Thanks,
>>>>> Patrick
>>>>> _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> http://lists.olug.org/mailman/listinfo/olug
>>>>>
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> http://lists.olug.org/mailman/listinfo/olug
>>>
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

-- 
Dave Weis
djweis at internetsolver.com
http://www.internetsolver.com/




More information about the OLUG mailing list