Change Password every week for root user script - linux

I got request to change root Password for every 10 days in all Linux based machines and these are production machines and Enabled with grub password so in case we forgot/missed password both root/grub password we cannot recover.
I have wrote a simple script which redirect password to file that is nfs shared file. So it writes password to nfs shared file for every week.
Below is the file format
Machine1:
Machine2:
Machine3:
we will execute script like
sh autopass.sh Machine1
so it change root Password for the Machine1 and replace Machine1 old Password with new Password in nfs share file. So we will send password to authorized users every week
Below is script
#!/bin/sh
#Function to create Random Password
function randpass() {
[ "$2" == "13" ] && CHAR="[:alnum:]" || CHAR="[:graph:]"
cat /dev/urandom | tr -cd "$CHAR" | head -c 8
echo
}
#Get Random Password to rootnewpass variable
rootnewpass=`randpass`
#Replace new password in file rootpass
sed -i "s/^\(${1}:\).*/\1${rootnewpass}/" /nfs/rootpass
#Change new Password using new random generated keyword
echo -e "root:$rootnewpass" | chpasswd
So Now I wanted here is my approach is good or any other way is better to implement this. Here concern is at any chance i should not misplace the password meaning should not redirect wrong password to file.
Same concept I am using for grub password as well.
Note: All machines should not have same root password and hence i have opted this option.
Please advice

You can change the password of the root user on a batch of servers (100 servers: 10.1.0.1 to 10.1.0.100) by:
# for ((i=1;i<=100;i++)); do \
ssh 10.1.0.$i 'echo -e "newpassword\nnewpassword" | passwd --stdin root'; \
done;
Make it a cron job and this should work.

Related

Missing command prompt user name when a user account is created - Linux - Debian?

I am writing a bash script to create user account with password, that will expire. After creating the user account and then login using su - , I get the prompt, but the user id is missing in the prompt. Also, the tab auto complete is missing. Here is my bash script. Remember, I am using Debian 9 in Windows - WSL2.
#!/bin/bash
# This script creates an account on the local system.
# You will be prompted for the account name and password.
# Ask for the user name.
read -p 'Enter the username to create: ' USER_NAME
# Ask for the real name.
read -p 'Enter the name of the person who this account is for: ' COMMENT
# Ask for the password
read -p 'Enter the password to use for the account: ' PASSWORD
# Create the user
useradd -c "${COMMENT}" -m ${USER_NAME}
# Set the password for the user.
# echo ${PASSWORD} | passwd --stdin ${USER_NAME}
echo "${USER_NAME}:${PASSWORD}" | chpasswd
# Force password change on first login.
passwd -e ${USER_NAME}
After running this, I get a prompt which doesn't has a user-id in it on the left side. Also, the auto completion using tab isn't working. I am a bit surprised, am I doing something wrong here?
Here is what I am seeing.
Add a user with adduser command instead of useradd.
Inscript always user adduser.
tested the same script on the Debian box and it's working fine.

How to encrypt passwords stored in a file rather than /etc/shadow in Linux

I want to create a new file called /home/secret.txt with the usernames and passwords stored, similar to /etc/shadow format in Linux. All new users are placed into this new file rather than /etc/shadow. From my bash script I am doing as follows:
echo "user1:password::root:root:/home/user1:/bin/bash" >> /home/secret.txt
echo "user1:password" | chpasswd -c MD5
In the 2nd statement, I am trying to change the password into encrypted but chpasswd fails saying chpasswd: line 1: user 'user1' does not exist. I think chpasswd changes/encrypts passwords for the users present in /etc/passwd or /etc/shadow. Because of this the password field in the file is not encrypted.
May I know how to write username and password similar to /etc/shadow format into a temporary file with passwords being encrypted ?
You are right chpasswd changes/encrypts passwords for the users present in /etc/passwd or /etc/shadow. Hence If you mean to say "all new users are placed into this new file rather than /etc/shadow", you mean to say that, change in the Code itself of useradd cmd.
As of now, I don't see, it is possible to write username and password similar to /etc/shadow format into a temporary file with passwords being encrypted, without having an entry in /etc/passwd or /etc/shadow
You need to do something similar to the following:
openssl passwd -1 -salt xyz "user1:password"
See this answer for details.
Here is the solution I came up with to store usernames and passwords into a different file than shadow.
Initially from my init script I am creating multiple users as below:
echo "user1:password1::root:root:/home/user1:/bin/bash" >> /home/secret.txt
echo "user2:password2::root:root:/home/user1:/bin/bash" >> /home/secret.txt
echo "user1:password1" | chpasswd -c MD5
echo "user2:password2" | chpasswd -c MD5
if [ /* Condition success */ ] ; then
/* Copy the required users to new file */
grep -wE "(user1|user2)" /etc/shadow >> /home/secret.txt
/* Deleting users from shadow */
sed -i '/user1/d' /etc/shadow
sed -i '/user2/d' /etc/shadow
fi
For the new users introduced to the system using adduser will go through a custom wrapper which checks for a condition based on which the users are placed into new file or shadow file. Similarly deletion and authentication also holds the similar process in-order to remove and authenticate these users into the system.

Script to change root password

Dears,
I want script to change root password with a predefined password for Solaris 10,11, AIX, Linux without prompting to enter password.
#!/bin/sh
echo -e "password\npassword" | passwd
Just run this as root.
However, there are some serious security concerns about keeping your password in plain text so be careful.

SSH password script using root

Hello I am trying to work on a SSH password script.
The user I am using is root because this is for a cluster of servers and the root user has password less entry to all of the other servers in the cluster.
What I have here works as on one server
echo "Welcome3 | passwd user1 --stdin"
This is the script i'm trying to user on the cluster.
export HOSTS="server1.server.com
server2.server.com
server3.server.com
server4.server.com
server5.server.com"
for i in $HOSTS
do
echo $i
ssh $i echo Welcome3 | passwd user1 --stdin
done
I get the message
"servername
changing password for user user1
passwd: all authentication tokens updated successfully"
But when I go to login to the other servers with the new password it dose not seem to take.
Any thoughts would be appreciated.
Thanks in advance.
You changed the password of user1 on your local machine.
Try this:
ssh $i 'echo Welcome3 | passwd user1 --stdin'

Script to change password on linux servers over ssh

We have a number of Red Hat linux servers in our IT environment. I am being asked by my team members to write a script (preferably shell script) to change a user's password on each one of those in a single go, using SSH.
I have tried to find a solution but many of the scripts I found are using Expect. We do not have Expect installed on our servers and the system admins have refused to let us install it. Also, the users do not have root access so passwd --stdin or chpasswd cannot be used.
Is there any way a script can be written so that a user can run it and change the password of only his own user on all the servers in a list?
The remote machine(s) do not need expect installed. You can install expect on a local workstation or VM (virtualbox) or whichever *nix box, and write a wrapper that calls this .ex (expect) script (there may be small changes from distro to distro, this tested on CentOS 5/6):
#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]
spawn ssh $serverid passwd
expect "assword:"
send "$password\r"
expect "UNIX password:"
send "$password\r"
expect "password:"
send "$newpassword\r"
expect "password:"
send "$newpassword\r"
expect eof
You do not need root access to use passwd.
This shoud work just fine.
passwd <<EOF
old password
new password
new password
EOF
You should try pssh (parallel ssh at the same time).
cat>~/ssh-hosts<<EOF
user100#host-foo
user200#host-bar
user848#host-qux
EOF
pssh -h ~/pssh-hosts 'printf "%s\n" old_pass new_pass new_pass | passwd'
Building on squashbuff's example, I tried the following, which worked well for me:
#!/bin/bash
for server in `cat hostlist`; do
echo $server;
ssh username#$server 'passwd &lt&ltEOF
old_password
new_password
new_password
EOF';
done
Security wise, Could be improved to take input without echoing to the screen OR saving the plaintext to disk.
echo "name:password" | chpasswd
Another possibility: change it manually on one server. Get the encrypted password out of /etc/shadow. Now, do something like this:
for host in $HOST_LIST; do
ssh $host "passwd -p 'encrypted_passwd' user"
done
Of course, 'encrypted_passwd" is what you got out of /etc/shadow where you manually changed the password. And $HOST_LIST is a list of hosts where you want the password changed. That could be created simply with:
export HOST_LIST="server1 server2 server15 server67"
Or perhaps with a file (as others have suggested):
export HOST_LIST=`cat host_list.txt`
Where the file "host_list.txt" has a list of all the systems where you want the password changed.
Edit: if your version of passwd doesn't support the -p option, you might have the 'usermod' program available. The example above remains the same, simply replace 'passwd' with 'usermod'.
Furthermore, you might consider the useful tool pdsh, which would simplify the above example to something like this:
echo $HOST_LIST | pdsh -Rssh -w- "usermod -p 'encrypted_passwd' user"
One last "gotcha" to look out for: the encrypted password likely contains the dollar sign character ('$') as a field separator. You'll probably have to escape those in your for loop or pdsh command (i.e. "$" becomes "\$").
Install sshpass on any of the server from where you want to execute the script.
yum -y install sshpass
Prepare a text file in which you have to pass details like Host, User Name, Password and Port. (Based on your requirement).
192.168.1.2|sachin|dddddd|22
Prepare a script file using below details.
#!/bin/bash
FILE=/tmp/ipaddress.txt
MyServer=""
MyUser=""
MyPassword=""
MyPort=""
exec 3<&0
exec 0<$FILE
while read line
do
MyServer=$(echo $line | cut -d'|' -f1)
MyUser=$(echo $line | cut -d'|' -f2)
MyPassword=$(echo $line | cut -d'|' -f3)
MyPort=$(echo $line | cut -d'|' -f4)
HOST=$MyServer
USR=$MyUser
PASS=$MyPassword
sshpass -p $PASS ssh -p $MyPort -o StrictHostKeychecking=no $USR#$HOST \
-T "echo 'sachin#patel' | passwd --stdin root" \
< /dev/null | tee -a output.log
done
exec 0<&3
An alternative you may want to present to your peers would be to have them use password-less authentication. They'd generate a public/private key pair and register their public key in the ~/.ssh/authorized_keys file on each of the servers they log into.
Can you use Perl?
Here there is an script that changes the password in a set of hosts.
If requires some Perl modules (Net::OpenSSH::Parallel, Expect and their dependencies) installed on the local machine running the script but nothing on the remote servers where the password has to be changed.
Have you tried App::Unix::RPasswd
The passmass script (man page) that comes with Expect doesn't require Expect to be installed on the remote machines.
I just implemented a small tool that changes password for many users/hosts at once. It's java based application so it works on both Windows and Linux. It's free, enjoy :)
Thought I should put my solution in an answer field - not sure if this should be a part of the question..
OK, I have put together a partially working solution using Dennis' suggestion.
servers.txt looks like:
server1
server2
server3
.
.
.
I am using:
for server in `cat servers.txt`; do
ssh $server -l user 'passwd <<EOF
old_pass
new_pass
new_pass
EOF';
done
This produces:
user#server1's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.
user#server2's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.
So here, I still need to type my old password once for each server. Can this be avoided?
If you have ssh, why have passwords in the first place? Push the user's public ssh key to all the servers they're authorized to use and be done with it. This also lets you easily grant and revoke access all you want.
At a previous $dayjob, where we had literally tens of thousands of servers, they had a database of which engineers were allowed on which servers, and the installation of ssh keys was an automated process. Almost NOBODY had a password on ANY machine.
echo -e "wakka2\nwakka2\n" | passwd root
cat /tmp/passwords | ssh $server sudo chpasswd -e
if the password is encrypted, or
cat /tmp/passwords | ssh $server sudo chpasswd
if the password is not encrypted.
/tmp/passwords should have format of "user:password"
The real question is why were they not using some sort of name services? NIS/Yellow Pages or LDAP and you're not having to manually change passwords across a bunch of servers. A user changes their password once and it's done across the domain master.

Resources