Need help in creating a script which will change password of user on multiple server

linux_neophyte · 09-05-2013, 09:31 AM

Hi Friends,

Please help me in creating a script which will help in resettting the password of a user on multiple servers.

The account which will be used have a sudo previlages and hence cannot execute the script, as unable to become root by supplying the credentials.

Here is the code which i have done but its not working.

# Password Change Script
echo "Enter User name with Sudo Previleges which will be used to change the passwords on remote Servers"
read ADMIN
echo "Enter Password to connect Sudo Previleges which will be used to change the passwords on remote Servers"
read PASS
echo " "
echo "Enter User name Whose passwords needs to be changed on remote Servers"
read TARGET
echo "Enter NEW password for $TARGET user "
read TARGETPASS

login_id=$ADMIN
host_name=""
file_name="serverlist.txt"

for i in $(cat $file_name);
do
hostname=$(echo $i| cut -f1 -d',')

ssh -t $login_id@$hostname 'echo $PASS | sudo -S |`echo $TARGETPASS | openssl passwd -1 -stdin`' read $TARGET'

However when run this code directly on shell it runs perfectly.

ssh -t user@server 'echo password | sudo -S /usr/sbin/usermod -p `echo ssss | openssl passwd -1 -stdin` 'test''

And able to change the passowrd
'echo password Password of the user which is having sudo previlege
usermod -p `echo ssss New password of the user which is been printed
'test'' Test is the user whose password needs to be changed.

Can someone let me know how the variables are now passed into the script with the ssh option used in script above.

gregoryfenton · 09-05-2013, 11:12 AM

The first thing I see is that you have not closed the for loop with done.

The below code works for me:

Code:

#!/bin/bash
if [ "`which sshpass`" -eq "" ]; then
echo "sshpass must be installed, please check your repository"
exit
fi

# servers.txt is a list of servers, one per line
# username is the user you wish to change
# password is the password to change to
# note the line
# echo -e "$password\n$password" - passwd asks for the password twice.
adminuser="adminuser"
adminpass="adminpass"
username="someuser"
password="testpass"
servers="`cat servers.txt`"
for server in $servers; do
echo "Changing password of user $username on server $server"
`which sshpass` -p "$adminpass" `which ssh` -t $adminuser@$server "echo -e \"$password\n$password\" | sudo -S passwd $username"
done

Hope it helps

edit:
Just realised, my method is using the fact that I have shared key passwordless access to my server. I changed the ssh line but haven't tried it.
Edit 2, changed to use sshpass. I learned something today :)
Edit 3, forgot to add the -p to the sshpass line.

Note that using the ' character in a bash script is the same as saying "print everything literally" so:

Code:

a="hello world!"
echo $a
echo "$a"
echo '$a'

Would return:

Code:

hello world!
hello world!
$a

Hope this (finally!) helps

linux_neophyte · 09-05-2013, 11:12 PM

Thanks for the sshpass, it works with sshpass. I had already tried and your code too did worked.

But thing is that i need to execute it without sshpass, and on servers where sshkeys are not already present.

i used below code in the script with just ssh -t option and got below error, can you please let me know how to resolve this two issues using ssh.

ssh -t $ADMIN@$hostname 'echo -e \"$TARGETPASS\n$TARGETPASS\" | passwd $TARGET'

After executing the script: below is the o/p:

Enter User name with Sudo Previleges which will be used to change the passwords on remote Servers
admin
Enter Password for oracle
admin123
Enter User name Whose passwords needs to be changed on remote Servers
test
Enter NEW password for test user
abcd
resetting password for test on 10.180.91.17 using oracle@10.180.91.17
admin@10.10.11.12's password:
Changing password for admin oracle.
Changing password for admin.
(current) UNIX password: passwd: Authentication token manipulation error
Connection to 10.10.11.12 closed.
resetting password for test on 10.10.11.13 using admin@10.333.23.33

and so on..............for other servers in the serverlist

Can you please suggest how to overcome this issue......(without sshpass and expect)

Surely there would be some way, which we arent aware of.

Thanks for the efforts taken.

linux_neophyte · 09-06-2013, 01:40 AM

Also one strange thing was noted while using sshpass.

The admin user had to be logged in atleast once before it could be able to change the password. since admin user has to login first then su to become root and face the initial sudo message/ warning ......

Code:

$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

        #1) Respect the privacy of others.
        #2) Think before you type.

Password:

And then only When we run the ssh script it allows to change the password.

Any idea how to overcome this.

gregoryfenton · 09-06-2013, 02:37 AM

Quote:

Originally Posted by linux_neophyte

Changing password for admin oracle.
Changing password for admin.

I see from the first line that you are changing the admin password at the same time. This is not from my script.
Copy and paste my script, don't retype it. My code works as written.

The message you get from

Code:

sudo su -

is specific to your system and could have been implemented any one of several ways which I can't account for.

You could always modify the script to connect twice for each connection by changing the line

Code:

`which sshpass` -p "$adminpass" `which ssh` -t $adminuser@$server "echo -e \"$password\nexit\n\" | sudo su -"
`which sshpass` -p "$adminpass" `which ssh` -t $adminuser@$server "echo -e \"$password\n$password\" | sudo -S passwd $username"

to get around your particular issue. I haven't tried this, but it should work. I am just logging in as the admin and sending

Code:

su -

followed by

Code:

exit

so it bypasses the message.

My code does not need sshkeys installed, it did originally but I changed the code in one of my edits.

You will need sshpass installing, but only on the server you are running the script from. Depending on your version of linux it may just be

Code:

sudo apt-get install sshpass

If you have admin passwords to a number of systems then it seems logical that you have admin access to your own which will allow you to install packages.

Your line

Code:

ssh -t $ADMIN@$hostname 'echo -e \"$TARGETPASS\n$TARGETPASS\" | passwd $TARGET'

uses ' which as I mentioned will not expand $TARGET to the username but instead send the word $TARGET. Don't use them, use "

I hope this clears it up for you, your question has been answered and your original issue has been solved.

I have a question that I would love you to answer:
If you are such a linux newb why are you being allowed to admin a bunch of servers? One erroneous command and you could wipe them all out which would be a Bad Thing (TM)

linux_neophyte · 09-06-2013, 05:05 AM

I would answer your question first.

Code:

I have a question that I would love you to answer:
If you are such a linux newb why are you being allowed to admin a bunch of servers? One erroneous command and you could wipe them all out which would be a Bad Thing (TM)

Quote:

Someone is always new to learn new things, am working as a Linux sysadmin from past few years, but scripting was such a horrible thing that i would have it done by my colleagues/seniors who were good at it, but now i know I have to learn it, so am trying and hope it will be done quickly with help of you guys.

For your below question:

Code:

I see from the first line that you are changing the admin password at the same time. This is not from my script.
Copy and paste my script, don't retype it. My code works as written.

Quote:

the script which I had wrote, without the sshpass but with "ssh -t" option and thus it was not changing the users password but admin users password itself so had given the output, that is It's changing the password of the admin user itself and not of the target user.

Thanks for your help, and will surely try inserting the code to run twice, so it will connect, need to try and check.

since we have NIS login, which can be used to log to any no of systems present, and few of them have sudo privilages to perform root action, that this is the need to login through id, then su to become root and then change the password of the users.

Thanks again.