It is currently Thu, 24 Sep 2020 10:41:57 GMT



 
Author Message
 I am looking for a way to update passwords via program or script
Our group administers a small collection of AIX systems.  There are
about 80 to 100 systems on the list at any given time.  Most of our team
needs access to most of the list on a regular basis.  We are being
required to change our passwords on a 45 to 60 day cycle and this now
represents a substantial loss of productive time for each user to walk
down the complete list changing their password.

What I am attempting to implement is a script (ksh and/or perl) that can
process a list of system names, establish an ssh session, change the
users password and exit back to the driving client system.  I would like
the user to see a command line something like "changepw current_pw
new_pw". This should internally execute a command like "ssh $sysName
$cmdString"  where $cmdString is like "setpw $oldpw $newpw; exit".  I
have tested the chained command approach and ssh does cause them both to
execute.

What I hope to find is a method of passing the users password to ssh
when it needs it and a sample of a program that can change the users
password on the target system without any user interaction required.

This solution should run in non root user space and change only the
password of the issuing user.

If anyone has implemented something like this I would surely appreciate
any and all pointers/suggestions.

Les Hazelton



 Fri, 07 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script
I'd probably start using NIS so your passwords are all stored on a single
(and optional backup) system. That way, you only need to change passwords on
one system.

If all systems have all of the same ids and passwords, you should also be
able to copy the passwords files to each system. You would need to copy
/etc/passwd and /etc/security/passwd, and possibly /etc/groups and
/etc/security/users depending on other changes.

I've done this in the past with no problems but you probably want to make
copies and try it out on one system before applying to all of them.



 Fri, 07 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script
Les,

Why don't you run NIS (YP)?  This is exactly what part of the system is
designed to work around.

Mark

In article <385E9F29.A5AD1...@attglobal.net>,
  Les Hazelton <seaw...@attglobal.net> wrote:

Sent via Deja.com http://www.deja.com/
Before you buy.



 Sat, 08 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script
 [snip]

This is really what DCE/NIS are for.  Ignoring that, you could probably
do what you want to with "expect".  Available at your favorite PDS
site.

This is probably a roll-your-own since most people just break into
the above mentioned under the conditions you describe.

If you decide to also, DCE is the more secure of the two.

Sent via Deja.com http://www.deja.com/
Before you buy.



 Sat, 08 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script
  Having either passwords or password files wizzing across the network
for no-good-niks to see gives me the Willies! To solve the issue of
changing passwords on multiple machines by entering the password once, I
would suggest you implement two things.
1)Ssh2 - It will encrypt your data stream between the hosts so even if
         someone has a sniffer your password or password files will
         not be transmitted "in-the-clear".
2)Expect - Expect is a scripting language that can prompt you to enter
           data and will then use that data to repeatedly run commands.

Both of these tools can be found using your favorite search engine. Ssh2
is a licensed product if used for commercial purposes. (If your password
is important enough to keep secret, why not spend the money to do it
right?) I believe Expect is free. There is even a sample program that is
part of the expect distribution that does exactly what you want to do.
The sample program is called passmass. You can have expect use whatever
program you like to communicate with the remote hosts, ssh, rlogin,
telnet....  It is extremely flexible and anyone with a modicum of
patience and persistence can make minor modifications to the samples to
get exactly what they want. (Hey, I did it and I'm an idiot!)
There are even newsgroups for expect and ssh so you can get help if you
need it.

-JAZZ

--
John Jaszczak  
Harmonic Systems, Inc  
701 4th Ave South, Suite 1600
Minneapolis, MN 55415
jjaszc...@harmonic.com 612-321-4139



 Sat, 08 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script

We have SSH2 installed on about 1/2 of our systems. the others are still
at SSH1. We had to put that roll out on hold to do more y2k related
activities. We should finish that implementation during first half of
2000.

We can't ship password files around.  This is more for logistical
reasons that anything else.  Also, our department is only a small
portion of the user community on these systems.  We can't ship an
/etc/passwd file and thereby give some users access to systems outside
their scope.

I havent used EXPECT, but it sounds promising.  Thanks for the
suggestion. As a mater of fact, I just checked several of our systems.
Thay already have EXPECT installed in /usr/local/bin.  I will study the
man file and see where that gets me.

Les Hazelton



 Sat, 08 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script

A switched network has taken care of that.

Isn't the data you enter in "plain text"?    It occurs to me that a script is
a plain text
file that expect will read.  Therefore, any passwords or other relevent
information will
be kept in this file and invalidiate any secure directives.

Regards,

Banger



 Sat, 08 Jun 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script
NIS is the way to go. Even though the /etc/passwd file is shipped
around (only to NIS master servers, btw), the passwords aren't even in
/etc/passwd, so what's the problem? NIS is also configurable to
allow/disallow access for certain users or groups to specific machines
as well. The only security problem is if someone is packet sniffing
for passwords sent across the network. And if that is a problem, then
you have more serious network security issues than system security
issues..

Just a thought..

On Tue, 21 Dec 1999 14:49:58 -0500, Les Hazelton



 Tue, 02 Jul 2002 03:00:00 GMT   
 I am looking for a way to update passwords via program or script

news:bonu7sgargbg2dlmufa2osgjg8ou5k73aj@4ax.com...

  With NIS, you have to ship the encoded passwords around. They may be in
the /etc/passwd file or they may be in the /etc/security/passwd file. What
sort of authentication does NIS do to validate that the host it is shipping
the file to is really who it says it is?
  For system security, there are features built into AIX which help me to
know if someone is trying to subvert my system. The network can be a it more
difficult to secure if you do not have total control of the transmission
media. Remote locations? Do you own the physical cable that your data
crosses? Are willing to trust every person in every telco or transmission
facility between here and there? There was a discussion in the newsgroup
last year regarding sniffing and how detectable it is. Some feel competent
enough to be able to detect it. Are you willing to bet your employers
security (and possibly you own job) on your ability to sense if someone is
sitting in the manhole down the street squealing and laughing with delight
because they just nabbed your encoded password file?
  Everything is a trade-off. Time and effort versus security and
confidentiality. Think I'm some paranoid nut who has been sitting too close
to the microwave? Hmmm, might be! You may want to take a little stroll over
to comp.unix.security. Read, listen and learn. Or maybe spend a couple of
hours at www.cert.org.

My apologies to Mathew Landt who is fond of the following quote Mattew Landt

  "Just because you aren't paranoid doesn't mean they AREN'T out to get
you!".

These thoughts are presented not to offend, but rather to encourage. I don't
have all the answers, hell I seldom understand the questions.

-JAZZ



 Tue, 02 Jul 2002 03:00:00 GMT   
 
   [ 9 post ] 

Similar Threads

1. am looking for a program which allows the holders to upload and download ie5 or others

2. Updating users password via code?

3. I am looking for an IM program that is client-server

4. I am looking for books on scripting

5. CGI script for changing passwords via WWW

6. Changing password via script

7. changing password via shell script

8. Howto set passwords via script?

9. how to write a program to download a file via HTTP with password protected?(NULL inside)


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software