[olug] remote password changes

Daniel Pfile daniel at pfile.net
Wed May 31 18:38:50 UTC 2006 

Sorry guys, I don't think you can pass the password on the command  
line. passwd is interactive only. You could use an expect script to  
do it.

----
#!/path/to/expect
set password [index $argv 2]
spawn passwd [index $argv 1]
expect "*password:"
send "$password\r"
expect "*password:"
send "$password\r"
expect eof
----

That would still show the password in a ps output. You're also going  
to see it locally on the machine that you ran the ssh client from,  
and have it in your bash history. You could modify the ARGV after  
grabbing it in the script, but you'd still be able to catch it while  
the program starts up. If you could dump a mode 600 file somewhere on  
the filesystem without that being shown in the process output (don't  
use echo) you could read that in and use it to change the password.

rpasswd is an option, but that's designed if you have one nis master  
server to run the deamon on and have your clients change their  
password remotely from their workstation.

If this is something you have to do all the time with different users  
I'd look into switching over to ldap or (ick) NIS. It's the right way  
to do that sort of thing. OpenLDAP works good, but I just set up some  
Fedora Directory Servers multimaster that are running great too,  
they're not integrated with pam/nss yet, since we mostly use them for  
web stuff.

-- Daniel

On May 31, 2006, at 12:59 PM, Will Langford wrote:

> Without user security being a big issue, using rsh or ssh to do the  
> passwd
> command would fit the bill without extra abstraction to hide password
> changes.  To rehash rsh / ssh ways of doing it:
>
> rsh remote.machine.com passwd username new-password
> ssh remote.machine.com passwd username new-password
>
> The user you're rsh/ssh'ing from will need to have sufficient  
> priveleges on
> the remote machine in order to change that person's password (unsecure
> example: doing the rsh/ssh as root, with PermitRootLogin set to  
> true in
> /etc/ssh/sshd_config on the target system).
>
> To avoid password prompts for the ssh/rsh logins, key usage would  
> be highly
> suggested.
>
> Lastly, I'm not entirely sure how to check the return value of the  
> command
> executed to see if it changed the password properly.  If you need  
> to check
> if the password was changed or not.... just bug us about it.
>
> -----
>
> In response to Ryan Stille's mysql 'ps aux' hiding by mysql... a  
> program can
> change it's 'command line' shown in 'ps aux', and some security  
> conscious
> coders look for password switches / passwords in the command line  
> and blank
> them out manually.  I've done similar under linux in C a year or  
> two ago,
> but forgot the details.  If any coder is curious, just bug me and  
> I'll dig
> up the sauce.
>
> -Will
>
> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net> wrote:
>>
>> Hi Will,
>>
>> Security isn't a major concern, all of the machines are in an  
>> isolated
>> network.  Mainly I would like to be able to have a list of servers  
>> and
>> reference that list with a script that would then ssh to each in  
>> turn and
>> change one users password on each.
>> I don't relish the idea of spending all day ssh'ing to each  
>> machine to do
>> this by hand.
>>
>> I will be experimenting with your ideas today.  Thanks!
>>
>> ---- Will Langford <unfies at gmail.com> wrote:
>>> not overly secure, but you can either have a sudo account that  
>>> you log
>>> into... and have your ssh connection spawn a password change  
>>> script...
>> ie:
>>>
>>> ssh passchangeuser at host password_change.sh targetuser targetpassword
>>>
>>> Where password_change.sh is a front end to passwd.
>>>
>>> Naturually, if you're concerned about `ps aux` on either server (ppl
>> seeing
>>> the running processes), you'll need to have some kind of
>>> encryption+ascii_conversion package for the "targetpassword"  
>>> parameter
>>> (rather than passing the plain text).  A simple and not so effective
>> example
>>> would be to pass it through rot13 on both ends.
>>>
>>> Another option is to do an scp to passchangeuser's account that  
>>> puts a
>> file
>>> (say, that's named targetuser and contains the new password  
>>> inside) in a
>>> special directory (/home/passchangeuser/newinfo ?) and a cron  
>>> task that
>>> constantly looks for new files in that directory and does the passwd
>> command
>>> to change things as appropriate.  This way the user's password isn't
>>> transfered plain text and you don't have to worry about `ps aux`  
>>> people.
>>>
>>> No script examples in this email, kinda too busy to actually go  
>>> about a
>> full
>>> blown example.
>>>
>>> -Will
>>>
>>>
>>> On 5/31/06, webtrekker at cox.net <webtrekker at cox.net > wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I am trying to write a script that will reference a list of machine
>> names
>>>> and then connect to each one through ssh to change a users  
>>>> password.
>>>>
>>>> SSH can connect to each server without prompting for a password
>>>> (authorized_keys).
>>>> I am not a very good script writer, so any help would be greatly
>>>> appreciated.
>>>>
>>>> Thanks,
>>>> Patrick
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> http://lists.olug.org/mailman/listinfo/olug
>>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> http://lists.olug.org/mailman/listinfo/olug
>>
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list