great ‘expect’ations (no pun intended)

CHANGING PASSWORD ACROSS MULTIPLE SERVERS

scenario:supposed you have a boat-load of *nix servers being administered like say 2+ and
these servers don’t use single sign-on authentication whereas your
access credentials different between systems. in analogy, it’s like
having the same user/pass for all the social sites you’re signed up with
and whenever you need to change your password for facebook you still
need to change the one for twitter and myspace manually. This would be
a tedious and tiring task if you’d have to do it on let’s say 200+ sites right?

It’s the same thing with server admin’ng. Some systems are just plain old school
or not at par with the current tech but sysadmins don’t always have the
upper hand. if you can’t change the process, at least make your task
easier.

sub-scenario:supposed you just got your username created on a ship-load of servers
of about let’s say 5+ and it’s been issued a default password ‘oldpass’. You current
task is to change the default password and make it more secure by setting it to
‘password’. You will also need to get it changed every 10 days, which is
the security policy at your work. That’s a tedious and repetitive task don’t you think?

but why can’t your just go into the servers and set up and configure passwordless ssh,
then you can just forget about having to change your passwords so often. one reason,
just one reason why it can’t be done, it’s against the security policies being
implemented rofl.

You can just create a script that would ssh to each server and ask your for your password
then when you log in you ‘passwd’ and exit afterwards, makes life a little bit easier
for you right? sure, if you’ve got fast fingers and don’t mind doing repetitive tasks.
it barely automates the task.

i’ve been checking out ‘expect’ scripting, which is the perfect solution to
the scenario at hand lexapro 10 mg.

=====start script=========

#!/usr/bin/expect -f
#change line above to point to ur expect binary

#i was using the line below when i was testing the script
#spawn rm .ssh/known_hosts

#pass an argument to the script from the command line
set server [lindex $argv 0]
set timeout -1

#execute ssh $server command
spawn ssh $server

#you can also do spawn ssh $server passwd
#but in my case, servers kept on spewing out nasty errors, when i
#tried to do it that way, that i didn’t bother looking into.
#because where i am, you can’t just make server changes
#that involves admin stuff easily
#it’s not the same with what i’ve gotten used to.

#comment out the 2 lines below when you already have previous access to all the servers
#and you won’t be expecting such [out|in]put
expect “Are you sure you want to continue connecting (yes/no)? ”
send — “yes\r”

expect “password:”
send — “oldpass\r”
set timeout 2
expect “\$”
set timeout 2
sleep 1
#sub the one below if the other doesn’t work/help
#spawn passwd
send — “passwd\r”
sleep 1
send — “pass4You\r”
expect “assword:”
sleep 1
send — “newpass\r”
sleep 1
expect “assword:”
send — “newpass\r”
send — “exit\r”
expect eof

=========end script=========

Save to file ‘change-pass.exp’ then run this command from cli:
# rm RESULTS;for i in ‘cat servers.txt’;do ./change-pass.exp $i; if [$? -eq 0 ]; then echo “$i

PASSWORD WAS MARVELOUSLY CHANGED” >> RESULTS; else echo “$i FAIL” >>RESULTS;fi;done

Or in a script:

#!/usr/bin/bash
rm RESULTS
for i in `cat servers.txt`; do
./change-pass.exp $i
if [ $? -eq 0 ]; then
echo “$i PASSWORD WAS MARVELOUSLY CHANGED”>> RESULTS
else
echo “$i FAIL” >>RESULTS
fi
done

NOTE TO SELF: DON”T FORGET TO REMOVE THE PASSWORD FROM THE SCRIPT WHEN DONE

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Security Code:

This site uses Akismet to reduce spam. Learn how your comment data is processed.