Script to change password on linux servers over ssh

linux shell ssh passwords

100,242

Solution 1

The remote machine(s) do not need expect installed. You can install expect on a local workstation or VM (virtualbox) or whichever *nix box, and write a wrapper that calls this .ex (expect) script (there may be small changes from distro to distro, this tested on CentOS 5/6):

#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd

set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]

spawn ssh $serverid passwd
expect "assword:"
send "$password\r"
expect "UNIX password:"
send "$password\r"
expect "password:"
send "$newpassword\r"
expect "password:"
send "$newpassword\r"
expect eof

Solution 2

You do not need root access to use passwd.

This shoud work just fine.

passwd <<EOF
old password
new password
new password
EOF

Solution 3

You should try pssh (parallel ssh at the same time).

cat>~/ssh-hosts<<EOF
user100@host-foo
user200@host-bar
user848@host-qux
EOF

pssh -h ~/pssh-hosts 'printf "%s\n" old_pass new_pass new_pass | passwd'

Solution 4

Building on squashbuff's example, I tried the following, which worked well for me:

#!/bin/bash
for server in `cat hostlist`; do
echo $server;
ssh username@$server 'passwd <<EOF
old_password
new_password
new_password
EOF';
done

Security wise, Could be improved to take input without echoing to the screen OR saving the plaintext to disk.

Solution 5

echo "name:password" | chpasswd

View more solutions

100,242

Author by

squashbuff

Updated on July 09, 2022

Comments

squashbuff almost 2 years

We have a number of Red Hat linux servers in our IT environment. I am being asked by my team members to write a script (preferably shell script) to change a user's password on each one of those in a single go, using SSH.

I have tried to find a solution but many of the scripts I found are using Expect. We do not have Expect installed on our servers and the system admins have refused to let us install it. Also, the users do not have root access so passwd --stdin or chpasswd cannot be used.

Is there any way a script can be written so that a user can run it and change the password of only his own user on all the servers in a list?
squashbuff over 12 years

Thank you Dennis, as per your post, passwd works well once the user is logged on the desired server. However, I have a list of servers stored in a file servers.txt and I would like to run a script, provide old password and new password once, and then the script should change my password on all the servers in that list. Any ideas with that?
Dennis over 12 years

ssh user@server 'command to change password' does just that.
squashbuff over 12 years

Thank you, I already use the public/private keys for authentication but even with password-less authentication, when the password expires after 2 months (in my case), I still have to log on to each server, use 'passwd', type old password and type new password twice. This is a bit inefficient. That's why I am trying to put together this solution.
squashbuff over 12 years

Thanks, this could be a good solution, but again, we do not have pssh on our servers.... :(
phatfingers over 12 years

Excellent. That simplifies matters.
Gilles Quenot over 12 years

You can run this command on any distro like an Android device, a laptop, your desktop. You just need to install it on client side and just have ssh as server side. I see no problem ;) You can iterate too for simple need with a for loop : for i in foo bar base; do ssh "$i" "command line"; done
phatfingers over 12 years

You probably have sudo on these servers, right? If you give them sudo rights to a script to change their password, the script could run passwd for their account with the --stdin param.
squashbuff over 12 years

yeah, tried all those things, but I was told that I cannot get sudo for 'passwd'. I have sudo for some other commands but not this one. System guys are draconian... :|
squashbuff over 12 years

Thank you Dennis, I have made an edit to my question showing what I have tried. It is still not there yet, but it's a good start. Thank you.. :)
squashbuff over 12 years

Interesting, I will definitely look into it. Thanks :)
Gilles Quenot over 12 years

If you feel that reply is usefull, you can "upvote" it. If it fits your needs, you should "accept" the reply, that's how stackoverflow works.
squashbuff over 12 years

ok, sorry about that. I haven't participated in many questions here, so please bear with me :)
Gilles Quenot over 12 years

I know, that's why I tell you this, no worries ;)
squashbuff over 12 years

This could be useful for some people. It's the particular way in which the environment is set up that restricts me from using this solution. I cannot access these servers directly from my client machine. I have to log on to a jumphost which has port forwarding disabled. So the script needs to run on that jumphost, which has all these restrictions in place. Thanks for the info though.
salva over 12 years

@squashbuff: I am currently working on another Perl module Net::OpenSSH::Gateway that allows Net::OpenSSH to jump over gateways transparently, but it is still a work in progress.
squashbuff almost 12 years

Thanks Edward, however the infrastructure management has been outsourced and I do not have any say in making those decisions. I have to make this work without making big infrastructure changes. That is not an option.
Cristian Ciupitu about 10 years

There's no -p option for passwd-0.77-4.el6 (Enterprise Linux 6) or passwd-0.79-2.fc20 (Fedora 20).
Cristian Ciupitu about 10 years

The question mentions that chpasswd cannot be used.
Cristian Ciupitu about 10 years

Won't the passwords be visible if someone runs ps?
Dennis about 10 years

@CristianCiupitu: The questions mentions that passwd --stdin can't be used because the users don't have root access. My answer explains that this premise is false; root access is not required.
Matt about 10 years

Take a look at the 'usermod' program... on CentOS (clone of RHEL) 5.x and 6.x, it supports the -p option. I edited my response to include more detail.
Lizz over 9 years

Did you ever find a way to avoid typing your old password once for each server?
squashbuff over 9 years

@Lizz I ended up using expect. Not the ideal solution in terms of security but something had to be done quickly. Check out the accepted answer by Randy Katz.
Loren about 9 years

Using this code, you would want to make this code something like ./passwdWrapper and then in your bash file add ./passwdWrap $user $password $server $newpassword
squashbuff almost 9 years

I am working in the present environment with restrictions already in place. I am not a domain admin and I don't have a say in the architectural changes required to make your solution work. I am putting a solution together for end users like myself working in the same restrictive environment.
lobi about 8 years

Worked great for me. Just to clarify: you must escape ALL $ characters in your encrypted_passwd, not only the first.
squashbuff over 7 years

As mentioned in the question, users do not have root access. So 'sudo chpasswd' cannot be used. To be honest, if the sysadmin allows users to run 'sudo chpasswd' then it's a big security issue in my opinion.
Conrad almost 5 years

If it's the first time you connect to this server you might be prompted to verify the fingerprint, to get around this update line 10 from spawn ssh $serverid passwd to spawn ssh -o "StrictHostKeyChecking no" $serverid passwd