[olug] remote password changes

Theodore Katseres tedkat at gmail.com
Thu Jun 1 05:45:31 UTC 2006


You could use the chpasswd command instead.
passwd hooks the keyboard for input so that a pipe would not work
but expect would.  chpasswd reads username:password from a
file so that would get around ps aux.

On 5/31/06, Will Langford <unfies at gmail.com> wrote:
> there's always using echo :)
>
> echo "oldpass\nnewpass\nnewpass\nnewpass" | passwd
>
> or something similar.
> -Will
>
>
> On 5/31/06, Daniel Pfile <daniel at pfile.net> wrote:
> >
> > Sorry guys, I don't think you can pass the password on the command
> > line. passwd is interactive only. You could use an expect script to
> > do it.
> >
> > ----
> > #!/path/to/expect
> > set password [index $argv 2]
> > spawn passwd [index $argv 1]
> > expect "*password:"
> > send "$password\r"
> > expect "*password:"
> > send "$password\r"
> > expect eof
> > ----
> >
> > That would still show the password in a ps output. You're also going
> > to see it locally on the machine that you ran the ssh client from,
> > and have it in your bash history. You could modify the ARGV after
> > grabbing it in the script, but you'd still be able to catch it while
> > the program starts up. If you could dump a mode 600 file somewhere on
> > the filesystem without that being shown in the process output (don't
> > use echo) you could read that in and use it to change the password.
> >
> > rpasswd is an option, but that's designed if you have one nis master
> > server to run the deamon on and have your clients change their
> > password remotely from their workstation.
> >
> > If this is something you have to do all the time with different users
> > I'd look into switching over to ldap or (ick) NIS. It's the right way
> > to do that sort of thing. OpenLDAP works good, but I just set up some
> > Fedora Directory Servers multimaster that are running great too,
> > they're not integrated with pam/nss yet, since we mostly use them for
> > web stuff.
> >
> > -- Daniel
> >
> > On May 31, 2006, at 12:59 PM, Will Langford wrote:
> >
> > > Without user security being a big issue, using rsh or ssh to do the
> > > passwd
> > > command would fit the bill without extra abstraction to hide password
> > > changes.  To rehash rsh / ssh ways of doing it:
> > >
> > > rsh remote.machine.com passwd username new-password
> > > ssh remote.machine.com passwd username new-password
> > >
> > > The user you're rsh/ssh'ing from will need to have sufficient
> > > priveleges on
> > > the remote machine in order to change that person's password (unsecure
> > > example: doing the rsh/ssh as root, with PermitRootLogin set to
> > > true in
> > > /etc/ssh/sshd_config on the target system).
> > >
> > > To avoid password prompts for the ssh/rsh logins, key usage would
> > > be highly
> > > suggested.
> > >
> > > Lastly, I'm not entirely sure how to check the return value of the
> > > command
> > > executed to see if it changed the password properly.  If you need
> > > to check
> > > if the password was changed or not.... just bug us about it.
> > >
> > > -----
> > >
> > > In response to Ryan Stille's mysql 'ps aux' hiding by mysql... a
> > > program can
> > > change it's 'command line' shown in 'ps aux', and some security
> > > conscious
> > > coders look for password switches / passwords in the command line
> > > and blank
> > > them out manually.  I've done similar under linux in C a year or
> > > two ago,
> > > but forgot the details.  If any coder is curious, just bug me and
> > > I'll dig
> > > up the sauce.
> > >
> > > -Will
> > >
> > > On 5/31/06, webtrekker at cox.net <webtrekker at cox.net> wrote:
> > >>
> > >> Hi Will,
> > >>
> > >> Security isn't a major concern, all of the machines are in an
> > >> isolated
> > >> network.  Mainly I would like to be able to have a list of servers
> > >> and
> > >> reference that list with a script that would then ssh to each in
> > >> turn and
> > >> change one users password on each.
> > >> I don't relish the idea of spending all day ssh'ing to each
> > >> machine to do
> > >> this by hand.
> > >>
> > >> I will be experimenting with your ideas today.  Thanks!
> > >>
> > >> ---- Will Langford <unfies at gmail.com> wrote:
> > >>> not overly secure, but you can either have a sudo account that
> > >>> you log
> > >>> into... and have your ssh connection spawn a password change
> > >>> script...
> > >> ie:
> > >>>
> > >>> ssh passchangeuser at host password_change.sh targetuser targetpassword
> > >>>
> > >>> Where password_change.sh is a front end to passwd.
> > >>>
> > >>> Naturually, if you're concerned about `ps aux` on either server (ppl
> > >> seeing
> > >>> the running processes), you'll need to have some kind of
> > >>> encryption+ascii_conversion package for the "targetpassword"
> > >>> parameter
> > >>> (rather than passing the plain text).  A simple and not so effective
> > >> example
> > >>> would be to pass it through rot13 on both ends.
> > >>>
> > >>> Another option is to do an scp to passchangeuser's account that
> > >>> puts a
> > >> file
> > >>> (say, that's named targetuser and contains the new password
> > >>> inside) in a
> > >>> special directory (/home/passchangeuser/newinfo ?) and a cron
> > >>> task that
> > >>> constantly looks for new files in that directory and does the passwd
> > >> command
> > >>> to change things as appropriate.  This way the user's password isn't
> > >>> transfered plain text and you don't have to worry about `ps aux`
> > >>> people.
> > >>>
> > >>> No script examples in this email, kinda too busy to actually go
> > >>> about a
> > >> full
> > >>> blown example.
> > >>>
> > >>> -Will
> > >>>
> > >>>
> > >>> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net > wrote:
> > >>>>
> > >>>> Hi All,
> > >>>>
> > >>>> I am trying to write a script that will reference a list of machine
> > >> names
> > >>>> and then connect to each one through ssh to change a users
> > >>>> password.
> > >>>>
> > >>>> SSH can connect to each server without prompting for a password
> > >>>> (authorized_keys).
> > >>>> I am not a very good script writer, so any help would be greatly
> > >>>> appreciated.
> > >>>>
> > >>>> Thanks,
> > >>>> Patrick
> > >>>> _______________________________________________
> > >>>> OLUG mailing list
> > >>>> OLUG at olug.org
> > >>>> http://lists.olug.org/mailman/listinfo/olug
> > >>>>
> > >>> _______________________________________________
> > >>> OLUG mailing list
> > >>> OLUG at olug.org
> > >>> http://lists.olug.org/mailman/listinfo/olug
> > >>
> > >>
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > http://lists.olug.org/mailman/listinfo/olug
> >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>


-- 
Ted Katseres
      ||=O=||



More information about the OLUG mailing list