[olug] remote password changes

Will Langford unfies at gmail.com
Wed May 31 17:59:25 UTC 2006


Without user security being a big issue, using rsh or ssh to do the passwd
command would fit the bill without extra abstraction to hide password
changes.  To rehash rsh / ssh ways of doing it:

rsh remote.machine.com passwd username new-password
ssh remote.machine.com passwd username new-password

The user you're rsh/ssh'ing from will need to have sufficient priveleges on
the remote machine in order to change that person's password (unsecure
example: doing the rsh/ssh as root, with PermitRootLogin set to true in
/etc/ssh/sshd_config on the target system).

To avoid password prompts for the ssh/rsh logins, key usage would be highly
suggested.

Lastly, I'm not entirely sure how to check the return value of the command
executed to see if it changed the password properly.  If you need to check
if the password was changed or not.... just bug us about it.

-----

In response to Ryan Stille's mysql 'ps aux' hiding by mysql... a program can
change it's 'command line' shown in 'ps aux', and some security conscious
coders look for password switches / passwords in the command line and blank
them out manually.  I've done similar under linux in C a year or two ago,
but forgot the details.  If any coder is curious, just bug me and I'll dig
up the sauce.

-Will

On 5/31/06, webtrekker at cox.net <webtrekker at cox.net> wrote:
>
> Hi Will,
>
> Security isn't a major concern, all of the machines are in an isolated
> network.  Mainly I would like to be able to have a list of servers and
> reference that list with a script that would then ssh to each in turn and
> change one users password on each.
> I don't relish the idea of spending all day ssh'ing to each machine to do
> this by hand.
>
> I will be experimenting with your ideas today.  Thanks!
>
> ---- Will Langford <unfies at gmail.com> wrote:
> > not overly secure, but you can either have a sudo account that you log
> > into... and have your ssh connection spawn a password change script...
> ie:
> >
> > ssh passchangeuser at host password_change.sh targetuser targetpassword
> >
> > Where password_change.sh is a front end to passwd.
> >
> > Naturually, if you're concerned about `ps aux` on either server (ppl
> seeing
> > the running processes), you'll need to have some kind of
> > encryption+ascii_conversion package for the "targetpassword" parameter
> > (rather than passing the plain text).  A simple and not so effective
> example
> > would be to pass it through rot13 on both ends.
> >
> > Another option is to do an scp to passchangeuser's account that puts a
> file
> > (say, that's named targetuser and contains the new password inside) in a
> > special directory (/home/passchangeuser/newinfo ?) and a cron task that
> > constantly looks for new files in that directory and does the passwd
> command
> > to change things as appropriate.  This way the user's password isn't
> > transfered plain text and you don't have to worry about `ps aux` people.
> >
> > No script examples in this email, kinda too busy to actually go about a
> full
> > blown example.
> >
> > -Will
> >
> >
> > On 5/31/06, webtrekker at cox.net <webtrekker at cox.net > wrote:
> > >
> > > Hi All,
> > >
> > > I am trying to write a script that will reference a list of machine
> names
> > > and then connect to each one through ssh to change a users password.
> > >
> > > SSH can connect to each server without prompting for a password
> > > (authorized_keys).
> > > I am not a very good script writer, so any help would be greatly
> > > appreciated.
> > >
> > > Thanks,
> > > Patrick
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > http://lists.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > http://lists.olug.org/mailman/listinfo/olug
>
>



More information about the OLUG mailing list