I've built a script "createcontainer.sh" to automatically create a container. I call the script as follows:
./createdocker.sh newuser newpass
Internal to the script, the two arguments are assigned to variables as follows:
USERNAME=$1 <-- thus USERNAME=newuser
PASSWORD=$2 <-- thus PASSWORD=newpass
The goal is to create the container (this works), log into it with "root/originalpassword" combination I created in the original image (this works), then add "newuser/newpass" credentials which can then be used to access the container via SSH (this appears to work but doesn't actually work).
Inside createdocker.sh is the following line:
/usr/bin/sshpass -p $ORIGINALPASSWORD ssh -p $PORT -o StrictHostKeyChecking=no root#$IP $SCRIPT
What this does is tell the "createcontainer.sh" script to log into the $IP of the container on $PORT with root and $ORIGINALPASSWORD, automatically accept the SSH host key, then execute $SCRIPT which is defined as follows:
SCRIPT="adduser $USERNAME;\ <-- add newuser
echo -e $PASSWORD\n$PASSWORD | (passwd --stdin $USERNAME);\ <-- set newpass
echo ssh username: $USERNAME;\
echo ssh password: $PASSWORD;\
echo Instance Login Success;\
exit"
As a result, the behavior of my script is as follows:
[root#netunique docker-sshd]# ./signup_createdocker.sh newuser newpass
Instance Created
adduser newuser;echo -e newpass\nnewpass | (passwd --stdin newuser);echo ssh username: newuser;echo ssh password: newpass;echo Instance Login Success;exit
Warning: Permanently added '[localhost]:32936' (RSA) to the list of known hosts.
Changing password for user newuser.
passwd: all authentication tokens updated successfully. <-- appears 'set newpass' worked
ssh username: newuser
ssh password: newpass
Instance Login Success
I then attempt to log into the container with the new credentials:
[root#netunique docker-sshd]# ssh -p 32936 newuser#localhost
myuser#localhost's password: <-- here I type 'newpass'
Permission denied, please try again. <-- here the login fails
myuser#localhost's password:
I think my problem has to do with my quotes (") and evaluation of variables within those quotes. Specifically the in SCRIPT which starts with "echo -e".
If I actually (without the script) log into the container manually and issue the following commands, everything works fine. I'm able to log out of the container than back in with newuser/newpass credentials and I can get into the container just fine.
adduser newuser
echo -e "newpass\nnewpass" | (passwd --stdin newuser)
Notice above though that newpass\nnewpass are surrounded in quotes (") whereas in SCRIPT the entire string is surrounded in quotes ("), not specifically the echo -e statement. If anyone can advise how to fix this, it would help me out a lot. Thanks in advance for the help.
BEFORE
SCRIPT="adduser $USERNAME;\ <-- add newuser
echo -e $PASSWORD\n$PASSWORD | (passwd --stdin $USERNAME);\ <-- set newpass
echo ssh username: $USERNAME;\
echo ssh password: $PASSWORD;\
echo Instance Login Success;\
exit"
AFTER
SCRIPT="adduser $USERNAME;\
echo -e \"$PASSWORD\n$PASSWORD\" | (passwd --stdin $USERNAME);\
echo ssh username: $USERNAME;\
echo ssh password: $PASSWORD;\
echo Instance Login Success;\
exit"
I had to include quotes (") around $PASSWORD\n$PASSWORD (which I had previously tried), but I also had to escape them with blackslash (\) like this: \"
Related
In my bash script ,a private repo is being cloned which prompts for username and password. The issue is even if incorrect username or password is entered and the git authentication fails - remote: Invalid username or password and the script proceeds further ignoring it .i want the git username and password read prompts to run in loop until git authentication succeeds . In other words , if incorrect username or password is entered it should be detected by bash and the read prompts should rerun in loop until git authentication is successful
#!/usr/bin/env bash
# something ....
read -e -p "Input your github username : " username
read -e -p "Input your github password : " password
git clone https://"$username":"$password"#github.com/"$username"/repo
# something ...
How do i solve this problem ?
Git will usually not create the directory of authentication failed. Check if the folder exists and exit if it does not:
test -d ./repo || { echo 'Dir does not exist'; exit 1; };
But before that, the git process should already exit with a non-zero exit code, so you could do this instead:
git clone "https://…#…/path/to/repo" || exit 1;
If you want to keep retrying until the command succeeds, use a loop:
read -e -p 'Input your github username: ' username
read -e -p 'Input your github password: ' password
while ! git clone "https://…#…/path/to/repo"; do
echo 'Error cloning, please retry' >&2;
read -e -p 'Input your github username: ' username
read -e -p 'Input your github password: ' password
done
You might also be interested in How to get a password from a shell script without echoing for preventing shoulder surfing while entering the password.
I am running a particular mongo command which is not hiding the password in ps for some reason. Upon checking the mongo community they are asking us to hide the password on ps by sending the password as an input via echo command
Example
echo mypassword | usr/bin/mongostat --quiet -u readonly --authenticationDatabase admin
Now this works fine as long as the echo password is used at the start of the mongostat command, but the problem comes in when I store this entire value as a string in a variable
password="pass#123"
mongo_command="echo $password | usr/bin/mongostat --quiet -u readonly --authenticationDatabase admin"
$mongo_command
So when I execute the above script the output is coming as follows
pass#123 | /usr/bin/mongostat --quiet -u readonly --authenticationDatabase admin
It is ignoring the echo keyword and only sending the password when the $mongo_command is executed. So how can I avoid this and ensure that echo goes along with the password, then followed by the pipe (|) symbol to the mongo command so that it looks as shown below
echo Csco#123 | /usr/bin/mongostat --quiet -u readonly --authenticationDatabase admin
Enter password:
insert query update delete getmore command flushes mapped vsize res faults qrw arw net_in net_out conn set repl time
Thanks
I am using SSH command to execute the bash scripts remotely:
ssh user#server 'bash -s' < $script_dir/script.sh
And inside the script.sh, I will have the command like below:
ssh-keygen -t rsa
ssh-copy-id postgres#$sqlserver
ssh postgres#$sqlserver -C true
And also
printf "Creating user in postgresql server...\n"
createuser -s -P username
Which need user's input, but I found when I execute the command from the remote server, it will skip getting the users' input and failed.
Another one is:
printf "Please enter your barman server name: \n" ; read -s barmanserver
Which cannot read user's input neither
I know that the script seems cannot read the other terminal's input, but can anyone help me find a solution if I need the user input to continue?
Thanks a lot!!
Eva
I have used something like this in the past. I am not quite sure why I installed sshpass though.
apt-get install sshpass -y
echo "Adding users to new VMs"
adduser adminuser
echo "changing user password"
echo "adminuser:password" | chpasswd
adduser adminuser sudo
It does work, but it gives you some warning.
We have a number of Red Hat linux servers in our IT environment. I am being asked by my team members to write a script (preferably shell script) to change a user's password on each one of those in a single go, using SSH.
I have tried to find a solution but many of the scripts I found are using Expect. We do not have Expect installed on our servers and the system admins have refused to let us install it. Also, the users do not have root access so passwd --stdin or chpasswd cannot be used.
Is there any way a script can be written so that a user can run it and change the password of only his own user on all the servers in a list?
The remote machine(s) do not need expect installed. You can install expect on a local workstation or VM (virtualbox) or whichever *nix box, and write a wrapper that calls this .ex (expect) script (there may be small changes from distro to distro, this tested on CentOS 5/6):
#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]
spawn ssh $serverid passwd
expect "assword:"
send "$password\r"
expect "UNIX password:"
send "$password\r"
expect "password:"
send "$newpassword\r"
expect "password:"
send "$newpassword\r"
expect eof
You do not need root access to use passwd.
This shoud work just fine.
passwd <<EOF
old password
new password
new password
EOF
You should try pssh (parallel ssh at the same time).
cat>~/ssh-hosts<<EOF
user100#host-foo
user200#host-bar
user848#host-qux
EOF
pssh -h ~/pssh-hosts 'printf "%s\n" old_pass new_pass new_pass | passwd'
Building on squashbuff's example, I tried the following, which worked well for me:
#!/bin/bash
for server in `cat hostlist`; do
echo $server;
ssh username#$server 'passwd <<EOF
old_password
new_password
new_password
EOF';
done
Security wise, Could be improved to take input without echoing to the screen OR saving the plaintext to disk.
echo "name:password" | chpasswd
Another possibility: change it manually on one server. Get the encrypted password out of /etc/shadow. Now, do something like this:
for host in $HOST_LIST; do
ssh $host "passwd -p 'encrypted_passwd' user"
done
Of course, 'encrypted_passwd" is what you got out of /etc/shadow where you manually changed the password. And $HOST_LIST is a list of hosts where you want the password changed. That could be created simply with:
export HOST_LIST="server1 server2 server15 server67"
Or perhaps with a file (as others have suggested):
export HOST_LIST=`cat host_list.txt`
Where the file "host_list.txt" has a list of all the systems where you want the password changed.
Edit: if your version of passwd doesn't support the -p option, you might have the 'usermod' program available. The example above remains the same, simply replace 'passwd' with 'usermod'.
Furthermore, you might consider the useful tool pdsh, which would simplify the above example to something like this:
echo $HOST_LIST | pdsh -Rssh -w- "usermod -p 'encrypted_passwd' user"
One last "gotcha" to look out for: the encrypted password likely contains the dollar sign character ('$') as a field separator. You'll probably have to escape those in your for loop or pdsh command (i.e. "$" becomes "\$").
Install sshpass on any of the server from where you want to execute the script.
yum -y install sshpass
Prepare a text file in which you have to pass details like Host, User Name, Password and Port. (Based on your requirement).
192.168.1.2|sachin|dddddd|22
Prepare a script file using below details.
#!/bin/bash
FILE=/tmp/ipaddress.txt
MyServer=""
MyUser=""
MyPassword=""
MyPort=""
exec 3<&0
exec 0<$FILE
while read line
do
MyServer=$(echo $line | cut -d'|' -f1)
MyUser=$(echo $line | cut -d'|' -f2)
MyPassword=$(echo $line | cut -d'|' -f3)
MyPort=$(echo $line | cut -d'|' -f4)
HOST=$MyServer
USR=$MyUser
PASS=$MyPassword
sshpass -p $PASS ssh -p $MyPort -o StrictHostKeychecking=no $USR#$HOST \
-T "echo 'sachin#patel' | passwd --stdin root" \
< /dev/null | tee -a output.log
done
exec 0<&3
An alternative you may want to present to your peers would be to have them use password-less authentication. They'd generate a public/private key pair and register their public key in the ~/.ssh/authorized_keys file on each of the servers they log into.
Can you use Perl?
Here there is an script that changes the password in a set of hosts.
If requires some Perl modules (Net::OpenSSH::Parallel, Expect and their dependencies) installed on the local machine running the script but nothing on the remote servers where the password has to be changed.
Have you tried App::Unix::RPasswd
The passmass script (man page) that comes with Expect doesn't require Expect to be installed on the remote machines.
I just implemented a small tool that changes password for many users/hosts at once. It's java based application so it works on both Windows and Linux. It's free, enjoy :)
Thought I should put my solution in an answer field - not sure if this should be a part of the question..
OK, I have put together a partially working solution using Dennis' suggestion.
servers.txt looks like:
server1
server2
server3
.
.
.
I am using:
for server in `cat servers.txt`; do
ssh $server -l user 'passwd <<EOF
old_pass
new_pass
new_pass
EOF';
done
This produces:
user#server1's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.
user#server2's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.
So here, I still need to type my old password once for each server. Can this be avoided?
If you have ssh, why have passwords in the first place? Push the user's public ssh key to all the servers they're authorized to use and be done with it. This also lets you easily grant and revoke access all you want.
At a previous $dayjob, where we had literally tens of thousands of servers, they had a database of which engineers were allowed on which servers, and the installation of ssh keys was an automated process. Almost NOBODY had a password on ANY machine.
echo -e "wakka2\nwakka2\n" | passwd root
cat /tmp/passwords | ssh $server sudo chpasswd -e
if the password is encrypted, or
cat /tmp/passwords | ssh $server sudo chpasswd
if the password is not encrypted.
/tmp/passwords should have format of "user:password"
The real question is why were they not using some sort of name services? NIS/Yellow Pages or LDAP and you're not having to manually change passwords across a bunch of servers. A user changes their password once and it's done across the domain master.
I'm writing a C Shell program that will be doing su or sudo or ssh. They all want their passwords in console input (the TTY) rather than stdin or the command line.
Does anybody know a solution?
Setting up password-less sudo is not an option.
expect could be an option, but it's not present on my stripped-down system.
For sudo there is a -S option for accepting the password from standard input. Here is the man entry:
-S The -S (stdin) option causes sudo to read the password from
the standard input instead of the terminal device.
This will allow you to run a command like:
echo myPassword | sudo -S ls /tmp
As for ssh, I have made many attempts to automate/script it's usage with no success. There doesn't seem to be any build-in way to pass the password into the command without prompting. As others have mentioned, the "expect" utility seems like it is aimed at addressing this dilemma but ultimately, setting up the correct private-key authorization is the correct way to go when attempting to automate this.
I wrote some Applescript which prompts for a password via a dialog box and then builds a custom bash command, like this:
echo <password> | sudo -S <command>
I'm not sure if this helps.
It'd be nice if sudo accepted a pre-encrypted password, so I could encrypt it within my script and not worry about echoing clear text passwords around. However this works for me and my situation.
For ssh you can use sshpass: sshpass -p yourpassphrase ssh user#host.
You just need to download sshpass first :)
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
For sudo you can do this too:
sudo -S <<< "password" command
I've got:
ssh user#host bash -c "echo mypass | sudo -S mycommand"
Works for me.
The usual solution to this problem is setuiding a helper app that performs the task requiring superuser access:
http://en.wikipedia.org/wiki/Setuid
Sudo is not meant to be used offline.
Later edit: SSH can be used with private-public key authentication. If the private key does not have a passphrase, ssh can be used without prompting for a password.
Maybe you can use an expect command?:
expect -c 'spawn ssh root#your-domain.com;expect password;send "your-password\n";interact
That command gives the password automatically.
This can be done by setting up public/private keys on the target hosts you will be connecting to.
The first step would be to generate an ssh key for the user running the script on the local host, by executing:
ssh-keygen
Enter file in which to save the key (/home/myuser/.ssh/id_rsa): <Hit enter for default>
Overwrite (y/n)? y
Then enter a blank password. After that, copy your ssh key onto the target host which you will be connecting to.
ssh-copy-id <remote_user>#<other_host>
remote_user#other_host's password: <Enter remote user's password here>
After registering the ssh keys, you would be able to perform a silent ssh remote_user#other_host from you local host.
When there's no better choice (as suggested by others), then man socat can help:
(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1) |
socat - EXEC:'ssh -l user server',pty,setsid,ctty
EXEC’utes an ssh session to server. Uses a pty for communication
between socat and ssh, makes it ssh’s controlling tty (ctty),
and makes this pty the owner of a new process group (setsid), so
ssh accepts the password from socat.
All of the pty,setsid,ctty complexity is necessary and, while you might not need to sleep as long, you will need to sleep. The echo=0 option is worth a look too, as is passing the remote command on ssh's command line.
Take a look at expect linux utility.
It allows you to send output to stdio based on simple pattern matching on stdin.
ssh -t -t me#myserver.io << EOF
echo SOMEPASSWORD | sudo -S do something
sudo do something else
exit
EOF
Set SSH up for Public Key Authentication, with no pasphrase on the Key. Loads of guides on the net. You won't need a password to login then. You can then limit connections for a key based on client hostname. Provides reasonable security and is great for automated logins.
echo <password> | su -c <command> <user>
This is working.
a better sshpass alternative is: passh
https://github.com/clarkwang/passh
Login to a remote server
$ passh -p password ssh user#host
Run a command on remote server
$ passh -p password ssh user#host date
other methods to pass the password
-p The password (Default: `password')
-p env: Read password from env var
-p file: Read password from file
here I explained why it is better than sshpass, and other solutions.
You can also pass various parameters as follows:
echo password | echo y | sudo -S pacman -Syu
(Although that's a bad idea, it's just an example)
I had the same problem. dialog script to create directory on remote pc.
dialog with ssh is easy. I use sshpass (previously installed).
dialog --inputbox "Enter IP" 8 78 2> /tmp/ip
IP=$(cat /tmp/ip)
dialog --inputbox "Please enter username" 8 78 2> /tmp/user
US=$(cat /tmp/user)
dialog --passwordbox "enter password for \"$US\" 8 78 2> /tmp/pass
PASSWORD = $(cat /tmp/pass)
sshpass -p "$PASSWORD" ssh $US#$IP mkdir -p /home/$US/TARGET-FOLDER
rm /tmp/ip
rm /tmp/user
rm /tmp/pass
greetings from germany
titus
Building on #Jahid's answer, this worked for me on macOS 10.13:
ssh <remote_username>#<remote_server> sudo -S <<< <remote_password> cat /etc/sudoers
I once had a use case where I needed to run Sudo and ssh in the same command without stdin specifying all the variables needed.
This is the command I used
echo sudopassword | sudo -S -u username sshpass -p extsshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
Breaking that command into pieces!
This will allow you to run commands through your machine using Superuser:
echo password | sudo -S -u username
This will allow you to pass ssh password and execute commands on external machines:
sshpass -p sshpassword ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username#ipaddress " CMD on external machine"
make sure you install the sudo and openssh packages on your machine.
One way would be to use read -s option .. this way the password characters are not echoed back to the screen. I wrote a small script for some use cases and you can see it in my blog:
http://www.datauniv.com/blogs/2013/02/21/a-quick-little-expect-script/
USE:
echo password | sudo command
Example:
echo password | sudo apt-get update; whoami
Hope It Helps..
You can provide password as parameter to expect script.
su -c "Command" < "Password"
Hope it is helpful.