Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Updating passwords in batch mode

News	Authentication and Accounts Security	Recommended Books	Recommended Links	Papers	Reference
Unix chpasswd	LDAP	SecurID Tokens	History	Humor	Etc

1) Create random password for each non-root user using chpasswd utility. It update passwords in batch mode. chpasswd reads a list of user name and password pairs from file and uses this information to update a group of existing users. Each line is of the format:

user_name:password

Remember by default the supplied password must be in clear-text format. This command is intended to be used in a large system environment where many accounts are created at a single time or in emergency like this. First, we need to find out all non-root accounts using awk command:
awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd > /root/tmp.pass

Make sure /root/tmp.pass file contains non-root usernames only.

2) Create random password with pwgen
By default, pwgen utility is not installed so with the help of apt-get install it:
# apt-get install pwgen

The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. For example following command print the generated password:
# pwgen -1 -n 8

Download complete working script that updates user password in batch mode. Execute script batch-update-password.sh:
# chmod +x batch-update-password.sh # ./batch-update-password.sh

Now update user passwords with chpasswd, by default script creates file in /root/batch.passwd file:
# chpasswd

3) Email new password to server admin or all end users. You can write a script to email password end users.

4) Your system is ready to accept login, just remove /etc/nologin file:
# rm /etc/nologin

There are other ways to recover /etc/shadow file, depend upon your setup and backup frequency you can use any one of the following method too:

By default, your /etc/passwd and /etc/shadow file are backup to /var/backups under Debian Linux. You can just copy shadow.bak file after step # 1:

# cp /var/backups/shadow.bak /etc/shadow

Some time /etc/shadow- file can be use to replace /etc/shadow
If you have a backup of /etc/shadow on tape or cdrom then you can copy back /etc/shadow file after step #1.

I guess it explains the important of regular backup of both data and key files.

This is one that is pretty easily answered with a Google search:

http://www.google.com/search?client=safari&rls=en&q=ssh+passphraseless+authentication

http://dcs.nac.uci.edu/~strombrg/ssh-keys.html
http://chris.quietlife.net/2003/10/23/security-part-iii/
http://www-128.ibm.com/developerworks/linux/library/l-keyc.html
http://www.llnl.gov/computing/hpc/access/ssh_keys.html

setting a user passwd

------=_NextPart_000_0017_01C58E2E.B5569F80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi, I am developing a program that sets passwd for any user but i dont =
want the operator sets the passwd. I want to give it as a result of a =
function

[victor [at] mail victor]$ perl passwd.pl victor1

#!/usr/bin/perl
$usuario=3D$ARGV[0];
$passwd=3D"PASSWDGENERATEBYOTHERFUNCTION"
`sudo /usr/sbin/useradd -c $usuario -s /sbin/nologin $usuario`;
`sudo /usr/bin/passwd $usuario`;

I could add the user, but in the set passwd line.
When I use this script always I have a prompt of password assigment that =
I dont want. Could you give me some light of what can I do?

Thanks in advance,

Victor

------=_NextPart_000_0017_01C58E2E.B5569F80--

Victor Pezo [ Fr, 22 Juli 2005 02:59 ] [ ID #891114 ]

RE: setting a user passwd

Victor Pezo wrote:
> Hi, I am developing a program that sets passwd for any user but i
> dont want the operator sets the passwd. I want to give it as a result
> of a function
>
> [victor [at] mail victor]$ perl passwd.pl victor1
>
> #!/usr/bin/perl
> $usuario=$ARGV[0];
> $passwd="PASSWDGENERATEBYOTHERFUNCTION"
> `sudo /usr/sbin/useradd -c $usuario -s /sbin/nologin $usuario`;
> `sudo /usr/bin/passwd $usuario`;
>
> I could add the user, but in the set passwd line.
> When I use this script always I have a prompt of password assigment
> that I dont want. Could you give me some light of what can I do?

The classic answer to this is to use the Expect module, because passwd(1)
historically has read only from /dev/tty.

However, if you're on Linux, passwd(1) has a --stdin option that lets you
supply the password via standard input. So you could write something like
(untested):

system "echo \Q$passwd\E | sudo /usr/bin/passwd --stdin \Q$usario\E";

--
To unsubscribe, e-mail: beginners-unsubscribe [at] perl.org
For additional commands, e-mail: beginners-help [at] perl.org
<http://learn.perl.org/> <http://learn.perl.org/first-response>

[SUMMARY] non-interactive password changing

From: Wales Wong (wawong@ouhk.edu.hk)
Date: Mon Aug 11 1997 - 04:44:19 CDT

Next message: Josh Kuperman: "Summary: identd and pidentd"

Previous message: Marina Daniels: "SUMMARY 2: compiling INN1.5.1sec2 -"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear Managers,

Thanks for all the prompt response.

Original question:
> Because of the system migration, I have to create a lot of
> users. This can easily be done by using useradd. The accounts
> created by useradd are locked until passwd is called to change
> the password.
>
> Unfortunately, I can't find a non-interactive way to
> change the password. It's a pain if I have to change
> the password manually.
>
> Question:
> Is there any menthod that I can change the passwords of 300+ users with little pain?

Answers:

I received valuable help from:
Kumara Swamy-WIPRO-NA <mrk@india.ti.com>
Stefan Voss <s.voss@terradata.de>
Stephen Harris <sweh@mpn.com>
and those I haven't received yet.

With the help from one of my colleague, I solve my problem by
writing a simple expect script. The env variables UNAME and UPASS
carry the username and password respectively.

#!/usr/local/bin/expect -f
set username $env(UNAME)
set password $env(UPASS)
spawn passwd $username
expect "New password:"
send "$password\r"
expect "Re-enter new password:"
send "$password\r"
send "exit\r"
expect eof

Managing Passwords

Changing Passwords in a Batch

On a large system, there might be times when a large number of users and their passwords need some attention. The super user can change passwords in a batch by using the chpasswd command, which accepts input as a name/password pair per line in the following form:
$ sudo chpasswd username:password
Passwords can be changed en masse by redirecting a list of name and password pairs to the command. An appropriate shell script can be constructed with the information gleaned from Chapter 15.

However, Ubuntu also provides the newusers command to add users in a batch from a text file. This command also allows a user to be added to a group, and a new directory can be added for the user, too.

Hi Managers,

Here is the more compact version updated script . Thanks to "Andrew
Hall" for advising me to use case statement.This avoids using NFS mount.

#!/usr/bin/ksh -x
########################################################################
########
#Script Written on 27th June 05 .
#This script is used to change the root password of all unix hosts
#Make sure /usr/sysadm/scripts/minoti/all-hosts is updated with live
hosts before running this script
########################################################################
#######

for i in `cat /usr/sysadm/scripts/minoti/test-hosts`
do
OS=`remsh $i uname`
case $OS in
SunOS) rsh $i "rm /tmp/shad*"
        rsh $i "cp -p /etc/shadow /etc/shadow.2706"
        rsh $i "cat /etc/shadow|grep -v root>/tmp/shad1"
        rsh $i "echo "root:1EDHxu0aw6jRE:12958::::::">/tmp/shad2"
        rsh $i "cat /tmp/shad1>>/tmp/shad2"
        rsh $i "cp /tmp/shad2 /etc/shadow"
        rsh $i "/usr/sbin/pwconv"
        rsh $i "chown root:sys /etc/shadow"
        rsh $i "chmod 400 /etc/shadow"
;;
HP-UX) rsh $i "rm /tmp/shad*"
        rsh $i "rm /tmp/pass*"
        rsh $i "cp -p /etc/passwd /etc/passwd.2706"
        rsh $i "cat /etc/passwd|grep -v root>/tmp/shad1"
        rsh $i "echo "root:WkmiDJgfPbUB.:0:3::/:/sbin/sh">/tmp/shad2"
        rsh $i "cat /tmp/shad1>>/tmp/shad2"
        rsh $i "cp /tmp/shad2 /etc/passwd"
        rsh $i "chown root:other /etc/passwd"
        rsh $i "chmod 444 /etc/passwd"
;;
Linux) rsh $i "rm /tmp/shad*"
        rsh $i "cp -p /etc/shadow /etc/shadow.2706"
        rsh $i "cat /etc/shadow|grep -v root>/tmp/shad1"
        rsh $i "echo
'root:"$"1"$"hluzjp3u"$"bwx/ZLLAM4qANpMXTvBLz1:12961:0:99999:7:::'>/tmp/
shad2"
        rsh $i "cat /tmp/shad1>>/tmp/shad2"
        rsh $i "cp /tmp/shad2 /etc/shadow"
        rsh $i "/usr/sbin/pwconv"
        rsh $i "chown root:root /etc/shadow"
        rsh $i "chmod 400 /etc/shadow"
;;
IRIX*) rsh $i "rm /tmp/shad*"
        rsh $i "/sbin/cp -p /etc/shadow /etc/shadow.2706"
        rsh $i "/sbin/cat /etc/shadow|grep -v root>/tmp/shad1"
        rsh $i "/sbin/echo "root:kN6gTIyyu5foo:12958::::::">/tmp/shad2"
        rsh $i "/sbin/cat /tmp/shad1>>/tmp/shad2"
        rsh $i "/sbin/cp /tmp/shad2 /etc/shadow"
        rsh $i "/sbin/pwconv"
        rsh $i "chown root:sys /etc/shadow"
        rsh $i "chmod 400 /etc/shadow"
;;
*) echo "platform $OS not supported"
;;
esac
done

Regards
Minoti Koul

-----Original Message-----
From: Andrew Hall [mailto:halla3@corp.earthlink.net]
Sent: Friday, June 24, 2005 6:20 PM
To: Koul, Minoti
Subject: Re: SUMMARY: Script for changing the password

FYI,

If you want to only have one pass.sh script you could do this

#!/bin/sh

case $1 in $OS
    "HP-UX")
          hppass.sh contents here
          ;;
    "SunOS")
          sunpass.sh contents here
          ;;
       "IRIX64")
          sgipass.sh contents here
          ;;
       "Linux")
          linuxpass.sh contents here
          ;;
          *)
             echo "I don't know about $OS"
             exit 1
             ;;
esac

Basically you would have one script that is run on each machine and runs
the appropriate code based upon $OS. And to take it a step further, you
could change your "if [ $OS =" lines to a case statement. Just and FYI
hoping to help.

HTH,

Drew

Koul, Minoti wrote:

> Thanks for all the valuable replies I got .
>
>1.Anthony D'Atri [aad@verio.net]
>2.Tony van Lingen [tony.vanlingen@epa.qld.gov.au] 3.Tim Evans
>[tkevans@tkevans.com] 4.Polachak, Jason M CTR NAVSEA
>[jason.polachak.ctr@navy.mil#### Jason,Let me know if it helps
>5.JULIAN, JOHN C (AIT) [jj2195@sbc.com] 6.Andrew Hall
>[halla3@corp.earthlink.net] 7.Brad_Morrison@capgroup.com 8.David Ledger

>[dledger@ivdcs.co.uk] 9.Shaw, Kevin [Kevin.Shaw@CAX.USA.XEROX.COM]
>
>I should have mentioned in my original post that mine was hetrogeneous
>env. Solaris,HP-UX,AIX,SuSE,RedHat,SGI.....
>Lot of people recommended using expect but installing expect on all
>platforms was a huge effort.This is how I finally did (again a crude
>way as I had called in my original post)
>
>
>root@pnqccase2:>cat changepass.sh
>###################################################################
>
>#!/usr/bin/ksh -x
>for i in `cat /usr/sysadm/scripts/minoti/all-hosts` # 200 odd unix
>systems do OS=`remsh $i uname`
>
> if [ $OS = "HP-UX" ]
>then
> rsh $i "/u/koulmin/scripts/hppass.sh" #/u/koulmin is an
>automount
>fi
>
> if [ $OS = "SunOS" ]
>then
> rsh $i "/u/koulmin/scripts/sunpass.sh"
>fi
>
> if [ $OS = "IRIX64" ]
>then
> rsh $i "/u/koulmin/scripts/sgipass.sh"
>fi
>
> if [ $OS = "Linux" ]
>then
> rsh $i "/u/koulmin/scripts/linuxpass.sh"
>fi
>done
>#######################################################################
>#
>#####
>Here are the contents of /u/koulmin/scripts/sunpass.sh
>
>#/bin/ksh -x
>rm /tmp/shad*
>cp -p /etc/shadow /etc/shadow.2406
>cat /etc/shadow|grep -v root>/tmp/shad1 echo
>"root:1EDHxu0aw6jRE:12958::::::">/tmp/shad2 #encripted string of
>changed password.
>cat /tmp/shad1>>/tmp/shad2
>cp /tmp/shad2 /etc/shadow
>/usr/sbin/pwconv
>chown root:sys /etc/shadow
>chmod 400 /etc/shadow
>#######################################################################
>#
>########
>Here are the contents of /u/koulmin/scripts/hppass.sh Remember HP-UX
>does not maintain shadow file
>
>root@pnqccase2:>cat /u/koulmin/scripts/hppass.sh #/bin/ksh -x rm
>/tmp/shad* rm /tmp/pass* cp -p /etc/passwd /etc/passwd.2406 cat
>/etc/passwd|grep -v root>/tmp/shad1 echo
>"root:WkmiDJgfPbUB.:0:3::/:/sbin/sh">/tmp/shad2
>cat /tmp/shad1>>/tmp/shad2
>cp /tmp/shad2 /etc/passwd
>chown root:other /etc/passwd
>#######################################################################
>#
>#############
>And so on for all platforms
>
>Thanks once again to all who spared some time to share their valuable
>inputs.
>

>-----Original Message-----
>From: sunmanagers-bounces@sunmanagers.org
>[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Koul, Minoti
>Sent: Wednesday, June 22, 2005 11:03 AM
>To: sunmanagers@sunmanagers.org
>Subject: Script for changing the password
>
>Hi Managers,
>I am in a situation wherein I have to change root password of 100 odd
>unix boxes. I wanted to do the same via a script.
>
>I used to do it the crude way
>#!/bin/ksh -x
>cp -p /etc/shadow /etc/shadow.11
>cat /etc/shadow|grep -v root>/tmp/shad1 echo
>"root:O75xmUttfitCw:12794::::::">>/tmp/shad2 ## here I am echoing the
>encripted string for new password"
>cat /tmp/shad1>>/tmp/shad2
>cp /tmp/shad2 /etc/shadow
>/usr/sbin/pwconv
>chown root:sys /etc/shadow
>chmod 400 /etc/shadow
>
>I understand that we can input the new password via a script using !! .
>But have'nt been able to do this successfully.
>Can you please help out.
>

Re: Chpasswd Solution?: msg#00004

Subject:	Re: Chpasswd Solution?
List-id:	Help list for people getting started with OpenSolaris <opensolaris-help.opensolaris.org>

* Matthew Alton <Simplicissimus-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> 
[2006-03-30 18:06]:
> Hiya folks,
> 
> I routinely use a utility called "chpasswd" on AIX and Red Hat Linux.
> I sure would like to use this utility on Solaris but it does not exist
> and I can't seem to find a reasonable alternative.  I'll write the
> danged thing if I have to.  Do I have to?  Enquiring minds want to
> know.
> 
> Here the spec.  Syntax: chpasswd [ -e | -h ].  Pretty simple stuff in
> theory.  The "e" switch tells the program that we are passing it an
> already encrypted password, so use it verbatim, otherwise we use
> crypt(3) on "password."  The "h" switch get you the usage blurb.  The
> program simply reads "username:password" pairs from stdin and changes
> the system password of "username" to "password" of all things.  The
> glory of the thing is that it is scriptable so you can do cute things
> like "cat foo.txt | chpasswd" and no, it won't work with "passwd"
> because that program makes sure you're not piping to it.  I'm truly
> not interested in PAM and NIS.  If I write this thing, it's going to
> lock and alter /etc/passwd and /etc/shadow and call it a day.  No root
> UID?  Whine & fail.  Frankly, I find PAM somewhat less than
> comprehensible.
> 
> I've found the "shadow" stuff and the CGIpaf and a few others.  These
> will provide reference material but not much else.  Is there a true
> chpasswd for Solaris?
> 
> I'm going to write the thing, amn't I?  Well, when I do, I'll post it
> here.  That'll do some good, right?

  As far as I know, we don't have chpasswd in OpenSolaris.  The
  PAM/passwd folks will definitely know--they will be listening in the
  Security community, if they aren't watching here.

  You can also submit a bug to the bug database, so that the whole
  community.  See

  http://bugs.opensolaris.org

  (You must be a registered user to submit a bug.)

  - Stephen

-- 
Stephen Hahn, PhD  Solaris Kernel Development, Sun Microsystems
stephen.hahn-xsfywfwIY+M@xxxxxxxxxxxxxxxx  http://blogs.sun.com/sch/

General Solaris 10 Discussion - chpasswd

chpasswd Jan 16, 2007 2:39 AM
	Hi All does sun have an equivalent to the chpasswd in linux?
mAbrante Posts:1,595 Registered: 8/19/05	Re: chpasswd Jan 16, 2007 3:26 AM (reply 1 of 6)
	Not as such (at least not that i know of). But its probably an quite easy script to write. As an alternative you can edit the /etc/passwd file manually or use usermod. .7/M.
samscreen Posts:6 Registered: 2/13/05	Re: chpasswd Jan 17, 2007 12:43 AM (reply 2 of 6)
	yip but with chpasswd you can use excel to import all the users names then put in a password and copy down for the 1000 users and run it through the command and all the passwords are changed. really great when you are installing a system and have setup the users now have to setup a specific password for the users.
mAbrante Posts:1,595 Registered: 8/19/05	Re: chpasswd Jan 17, 2007 5:49 AM (reply 3 of 6)
	Can't you just copy the passwd/shadow files from another system in that case? Or implement a namingservice. .7/M.
alan.pae Posts:540 Registered: 9/6/06	Re: chpasswd Jan 17, 2007 1:50 PM (reply 4 of 6)
	what does chpasswd do said the non lnux person. alan
mAbrante Posts:1,595 Registered: 8/19/05	Re: chpasswd Jan 18, 2007 6:44 AM (reply 5 of 6)
	Relevant question. A person i know who have a linux box sent me the following extract from the manpage. NAME chpasswd - update password file in batch SYNOPSIS chpasswd [-e] DESCRIPTION chpasswd reads a file of user name and password pairs from standard input and uses this information to update a group of existing users. Without the -e switch, the passwords are expected to be cleartext. With the -e switch, the passwords are expected to be in encrypted form. Each line is of the format user_name:password The named user must exist. The supplied password will be encrypted as necessary, and the password age updated, if present. This command is intended to be used in a large system environment where many accounts are created at a single time. .7/M.
alan.pae Posts:540 Registered: 9/6/06	Re: chpasswd Jan 18, 2007 1:13 PM (reply 6 of 6)
	I've never heard of anything like this for Solaris. Even a naming service doesn't fit the bill as they still require you to enter the passwords, clear text, by hand, and then they are converted to some hash. You could try compiling chpasswd on Solaris, or if it's a script file, you could just try running the script. A test box would be great for this endeavor. If not, then it sounds like you could write some code that parses a file and feeds the information to the passwd command. You could search around on O'Reilly's Code Zoo or Google has something to similar to that nowadays. Looks like you're going to need a coder for this one. alan

Purpose

Changes password for users.

Syntax

chpasswd [ -R load_module ] [ -e ] [ -f flags | -c ]

Description

The chpasswd command administers users' passwords. The root user can supply or change users' passwords specified through standard input. Each line of input must be of the following format.

username:password

Only root users can set passwords with this command.

By default, the chpasswd command sets the ADMCHG flag for the users. The -f option may be used with other valid flags to override the default. The -c option clears all password flags.

The password field can be cleartext or a value encrypted with the crypt algorithm. The -e option indicates that passwords are of encrypted format. Please note that all passwords in a batch must conform to the same format.

Flags

-c	Clears all password flags.
-e	Specifies that the passwords are of encrypted format.
-f `flags`	Specifies the comma separated list of password flags to set. Valid flag values are: ADMIN, ADMCHG, and/or NOCHECK. Refer to the pwdadm command documentation for details about these values.
-R `load_module`	Specifies the loadable I&A module used to change users' passwords.

Security

Access Control: Only root users should have execute (x) access to this command. The command should have the trusted computing base attribute.

Examples

To set passwords for users from the command line, type:
```
chpasswd
```
Followed by entering username:password pairs, one pair per line. Enter CTRL+D when finished.
```
user1:passwd1
user2:passwd2
CTRL+D
```
To set passwords for users contained in a file named mypwdfile, type the following:
```
cat mypwdfile | chpasswd
```
Note that mypwdfile must contain username:password pairs; one pair per line. For example:
```
user1:passwd1
user2:passwd2
...
```

Files

Mode	File	Description
	/etc/user/bin/chpasswd	Location of the chpasswd command.
rw	/etc/passwd
rw	/etc/security/passwd
r	/etc/security/user

#!/usr/local/bin/expect --
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
# Executable only by root

set password [lindex $argv 1]
spawn /usr/bin/passwd [lindex $argv 0]
expect "password:"
send "$password\r"
expect "password:"
send "$password\r"
expect eof

But when I run it, it still prompted the line "Retype new Unix password".
How can I run it without the above line?

Pls. recommend me
Thank you so much

Have you looked at using usermod instead of passwd? Are you using passwd because this is a homework assignment?
man usermod

#!/bin/bash # Script to update user password in batch mode # You must be a root user to use this script # ------------------------------------------------------------------------- # Copyright (c) 2005 nixCraft project <http://cyberciti.biz/fb/> # This script is licensed under GNU GPL version 2.0 or above # ------------------------------------------------------------------------- # This script is part of nixCraft shell script collection (NSSC) # Visit http://bash.cyberciti.biz/ for more information. # ---------------------------------------------------------------------- # /root is good place to store clear text password FILE="/root/batch.passwd" # get all non-root user account # By default on most linux non-root uid starts # from 1000 USERS=$(awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd) # create file with random password echo "Generating file, please wait..." # overwrite file >$FILE for u in $USERS do p=$(pwgen -1 -n 8) # create random password echo "$u:$p" >> $FILE # save USERNAME:PASSWORD pair done echo "" echo "Random password and username list stored in $FILE file" echo "Review $FILE file, once satisfied execute command: " echo "chpasswd < $FILE" # Uncomment following line if you want immediately update all users password, # be careful with this option, it is recommended that you review $FILE first # chpasswd < $FILE

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Created: May 16, 1997; Last modified: November 08, 2008