Script to change password on linux servers over ss

2020-02-02 12:10发布

站内问答 / Linux
792 16 4

We have a number of Red Hat linux servers in our IT environment. I am being asked by my team members to write a script (preferably shell script) to change a user's password on each one of those in a single go, using SSH.

I have tried to find a solution but many of the scripts I found are using Expect. We do not have Expect installed on our servers and the system admins have refused to let us install it. Also, the users do not have root access so passwd --stdin or chpasswd cannot be used.

Is there any way a script can be written so that a user can run it and change the password of only his own user on all the servers in a list?

16条回答
劫难
2楼-- · 2020-02-02 12:30

Building on squashbuff's example, I tried the following, which worked well for me:

#!/bin/bash
for server in `cat hostlist`; do
echo $server;
ssh username@$server 'passwd <<EOF
old_password
new_password
new_password
EOF';
done

Security wise, Could be improved to take input without echoing to the screen OR saving the plaintext to disk.

查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
3楼-- · 2020-02-02 12:30

Another possibility: change it manually on one server. Get the encrypted password out of /etc/shadow. Now, do something like this:

for host in $HOST_LIST; do
    ssh $host "passwd -p 'encrypted_passwd' user"
done

Of course, 'encrypted_passwd" is what you got out of /etc/shadow where you manually changed the password. And $HOST_LIST is a list of hosts where you want the password changed. That could be created simply with:

export HOST_LIST="server1 server2 server15 server67"

Or perhaps with a file (as others have suggested):

export HOST_LIST=`cat host_list.txt`

Where the file "host_list.txt" has a list of all the systems where you want the password changed.

Edit: if your version of passwd doesn't support the -p option, you might have the 'usermod' program available. The example above remains the same, simply replace 'passwd' with 'usermod'.

Furthermore, you might consider the useful tool pdsh, which would simplify the above example to something like this:

echo $HOST_LIST | pdsh -Rssh -w- "usermod -p 'encrypted_passwd' user"

One last "gotcha" to look out for: the encrypted password likely contains the dollar sign character ('$') as a field separator. You'll probably have to escape those in your for loop or pdsh command (i.e. "$" becomes "\$").

查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
4楼-- · 2020-02-02 12:33

Have you tried App::Unix::RPasswd

查看更多
0人赞 添加讨论(0) 举报
成全新的幸福
5楼-- · 2020-02-02 12:34

You should try pssh (parallel ssh at the same time).

cat>~/ssh-hosts<<EOF
user100@host-foo
user200@host-bar
user848@host-qux
EOF

pssh -h ~/pssh-hosts 'printf "%s\n" old_pass new_pass new_pass | passwd'
查看更多
0人赞 添加讨论(0) 举报
放我归山
6楼-- · 2020-02-02 12:35

The passmass script (man page) that comes with Expect doesn't require Expect to be installed on the remote machines.

查看更多
0人赞 添加讨论(0) 举报
孤傲高冷的网名
7楼-- · 2020-02-02 12:38

Thought I should put my solution in an answer field - not sure if this should be a part of the question..

OK, I have put together a partially working solution using Dennis' suggestion.

servers.txt looks like:

server1
server2
server3
.
.
.

I am using:

for server in `cat servers.txt`; do
ssh $server -l user 'passwd <<EOF
old_pass
new_pass
new_pass
EOF';
done

This produces:

user@server1's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.
user@server2's password: **<Type password manually>**
(current) UNIX password: New UNIX password: Retype new UNIX password: Changing password for user user.
Changing password for user
passwd: all authentication tokens updated successfully.

So here, I still need to type my old password once for each server. Can this be avoided?

查看更多
0人赞 添加讨论(0) 举报
1 2 3 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)