Script to change password in initially set as *LK*

RaelOM · 08-13-2008, 11:02 AM

So this script fails because of the *LK* entry in /etc/shadow (Or in this case /etc/ptmp)

If it's any other value, then this works fine.

How can I correct this?

Code:

#!/usr/bin/perl

@saltset = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/');
$ptmp = '/etc/ptmp';
$passwd = '/etc/shadow';
$perl = '/usr/bin/perl' ; # Used in system() later

srand(time|$$);

if ($#ARGV != 1) {
    print "Usage: $0 username newpassword\n" ;
    exit 1;
}

$user = shift;
$newpass = shift;

open(PASSWD,'<' . $passwd);
@entry = grep(/^$user:/,<PASSWD>);
close PASSWD;
if ($#entry == -1) {
    print "User \"$user\" does not exist!\n";
    exit 1;
}
if ($#entry != 0) {
    $accts = $#entry + 1;
    print "There are $accts accounts for \"$user\". Password not changed.";
    exit 1;
}
$entry = shift(@entry);
($name, $oldcrypt, @rest) = split(/:/, $entry);

if ( -f $ptmp ) {
    print "The password file is busy, $ptmp exists. Try again later.\n";
    exit 1;
}

$salt = $saltset[rand(64)] . $saltset[rand(64)]; # form new salt
$newcrypt = crypt($newpass,$salt); # form new encrypted password

open(PW,'<' . $passwd) || die "Couldn't read password file\n";
open(PTMP,'>' . $ptmp) || die "Coulnd't make temp password file.\n";
print PTMP <PW>; # copy passwd to ptmp
close(PTMP);

# Here is where we actually change the password. We let perl do the dirty work.
$ok = system("$perl -pi.bak -e 's:$oldcrypt:$newcrypt: if m/^$user:/;' $ptmp");
if ($ok / 256 ) {
    print "Change failed! Couldn't update the password in $ptmp.\n";
    unlink($ptmp);
    exit 1;
}

# Here we update the real password file by renaming the ptmp file to passwd.
unless (rename($ptmp,$passwd)) { # make new password file from ptmp
    print "Change failed! Couldn't update $passwd. Backup file is $ptmp.bak\n";
    unlink($ptmp);
    exit 1
}

unlink($ptmp); # remove ptmp file
exit 0; # return success.

matthewg42 · 08-13-2008, 12:10 PM

You should not edit the passwd file manually. Use usermod with the --password option. (you will need to pre-hash the password).

RaelOM · 08-13-2008, 12:13 PM

Quote:

Originally Posted by matthewg42

You should not edit the passwd file manually. Use usermod with the --password option. (you will need to pre-hash the password).

That's based on the premise that usermod on Solaris would have such an option, which it doesn't.

I would also just use something like this for Linux although the usermod function would work just as well.

echo $PASSWORD | passwd --stdin $user

matthewg42 · 08-13-2008, 12:26 PM

If you don't mind keeping the password in cleartext, you could use expect.

RaelOM · 08-13-2008, 12:33 PM

Quote:

Originally Posted by matthewg42

If you don't mind keeping the password in cleartext, you could use expect.

Yea, was looking into that route as well and decided against it since it seems expect doesn't exist on every box and rather than pulling a pre-compiled binary around with me, I do know perl is on each host.

I actually figured this out BTW:

This string:
$ok = system("$perl -pi.bak -e 's:$oldcrypt:$newcrypt: if m/^$user:/;' $ptmp");

Should read:
$ok = system("$perl -pi.bak -e 's:\Q$oldcrypt\E:$newcrypt: if m/^$user:/;' $ptmp");

so as to escape the boolean's

estabroo · 08-13-2008, 03:25 PM

perl module - Passwd::Solaris