[olug] remote password changes
Will Langford
unfies at gmail.com
Wed May 31 18:42:08 UTC 2006
there's always using echo :)
echo "oldpass\nnewpass\nnewpass\nnewpass" | passwd
or something similar.
-Will
On 5/31/06, Daniel Pfile <daniel at pfile.net> wrote:
>
> Sorry guys, I don't think you can pass the password on the command
> line. passwd is interactive only. You could use an expect script to
> do it.
>
> ----
> #!/path/to/expect
> set password [index $argv 2]
> spawn passwd [index $argv 1]
> expect "*password:"
> send "$password\r"
> expect "*password:"
> send "$password\r"
> expect eof
> ----
>
> That would still show the password in a ps output. You're also going
> to see it locally on the machine that you ran the ssh client from,
> and have it in your bash history. You could modify the ARGV after
> grabbing it in the script, but you'd still be able to catch it while
> the program starts up. If you could dump a mode 600 file somewhere on
> the filesystem without that being shown in the process output (don't
> use echo) you could read that in and use it to change the password.
>
> rpasswd is an option, but that's designed if you have one nis master
> server to run the deamon on and have your clients change their
> password remotely from their workstation.
>
> If this is something you have to do all the time with different users
> I'd look into switching over to ldap or (ick) NIS. It's the right way
> to do that sort of thing. OpenLDAP works good, but I just set up some
> Fedora Directory Servers multimaster that are running great too,
> they're not integrated with pam/nss yet, since we mostly use them for
> web stuff.
>
> -- Daniel
>
> On May 31, 2006, at 12:59 PM, Will Langford wrote:
>
> > Without user security being a big issue, using rsh or ssh to do the
> > passwd
> > command would fit the bill without extra abstraction to hide password
> > changes. To rehash rsh / ssh ways of doing it:
> >
> > rsh remote.machine.com passwd username new-password
> > ssh remote.machine.com passwd username new-password
> >
> > The user you're rsh/ssh'ing from will need to have sufficient
> > priveleges on
> > the remote machine in order to change that person's password (unsecure
> > example: doing the rsh/ssh as root, with PermitRootLogin set to
> > true in
> > /etc/ssh/sshd_config on the target system).
> >
> > To avoid password prompts for the ssh/rsh logins, key usage would
> > be highly
> > suggested.
> >
> > Lastly, I'm not entirely sure how to check the return value of the
> > command
> > executed to see if it changed the password properly. If you need
> > to check
> > if the password was changed or not.... just bug us about it.
> >
> > -----
> >
> > In response to Ryan Stille's mysql 'ps aux' hiding by mysql... a
> > program can
> > change it's 'command line' shown in 'ps aux', and some security
> > conscious
> > coders look for password switches / passwords in the command line
> > and blank
> > them out manually. I've done similar under linux in C a year or
> > two ago,
> > but forgot the details. If any coder is curious, just bug me and
> > I'll dig
> > up the sauce.
> >
> > -Will
> >
> > On 5/31/06, webtrekker at cox.net <webtrekker at cox.net> wrote:
> >>
> >> Hi Will,
> >>
> >> Security isn't a major concern, all of the machines are in an
> >> isolated
> >> network. Mainly I would like to be able to have a list of servers
> >> and
> >> reference that list with a script that would then ssh to each in
> >> turn and
> >> change one users password on each.
> >> I don't relish the idea of spending all day ssh'ing to each
> >> machine to do
> >> this by hand.
> >>
> >> I will be experimenting with your ideas today. Thanks!
> >>
> >> ---- Will Langford <unfies at gmail.com> wrote:
> >>> not overly secure, but you can either have a sudo account that
> >>> you log
> >>> into... and have your ssh connection spawn a password change
> >>> script...
> >> ie:
> >>>
> >>> ssh passchangeuser at host password_change.sh targetuser targetpassword
> >>>
> >>> Where password_change.sh is a front end to passwd.
> >>>
> >>> Naturually, if you're concerned about `ps aux` on either server (ppl
> >> seeing
> >>> the running processes), you'll need to have some kind of
> >>> encryption+ascii_conversion package for the "targetpassword"
> >>> parameter
> >>> (rather than passing the plain text). A simple and not so effective
> >> example
> >>> would be to pass it through rot13 on both ends.
> >>>
> >>> Another option is to do an scp to passchangeuser's account that
> >>> puts a
> >> file
> >>> (say, that's named targetuser and contains the new password
> >>> inside) in a
> >>> special directory (/home/passchangeuser/newinfo ?) and a cron
> >>> task that
> >>> constantly looks for new files in that directory and does the passwd
> >> command
> >>> to change things as appropriate. This way the user's password isn't
> >>> transfered plain text and you don't have to worry about `ps aux`
> >>> people.
> >>>
> >>> No script examples in this email, kinda too busy to actually go
> >>> about a
> >> full
> >>> blown example.
> >>>
> >>> -Will
> >>>
> >>>
> >>> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net > wrote:
> >>>>
> >>>> Hi All,
> >>>>
> >>>> I am trying to write a script that will reference a list of machine
> >> names
> >>>> and then connect to each one through ssh to change a users
> >>>> password.
> >>>>
> >>>> SSH can connect to each server without prompting for a password
> >>>> (authorized_keys).
> >>>> I am not a very good script writer, so any help would be greatly
> >>>> appreciated.
> >>>>
> >>>> Thanks,
> >>>> Patrick
> >>>> _______________________________________________
> >>>> OLUG mailing list
> >>>> OLUG at olug.org
> >>>> http://lists.olug.org/mailman/listinfo/olug
> >>>>
> >>> _______________________________________________
> >>> OLUG mailing list
> >>> OLUG at olug.org
> >>> http://lists.olug.org/mailman/listinfo/olug
> >>
> >>
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list