Script to change password on linux servers over ssh
Solution 1
The remote machine(s) do not need expect installed. You can install expect on a local workstation or VM (virtualbox) or whichever *nix box, and write a wrapper that calls this .ex (expect) script (there may be small changes from distro to distro, this tested on CentOS 5/6):
#!/usr/bin/expect -f
# wrapper to make passwd(1) be non-interactive
# username is passed as 1st arg, passwd as 2nd
set username [lindex $argv 0]
set password [lindex $argv 1]
set serverid [lindex $argv 2]
set newpassword [lindex $argv 3]
spawn ssh $serverid passwd
expect "assword:"
send "$password\r"
expect "UNIX password:"
send "$password\r"
expect "password:"
send "$newpassword\r"
expect "password:"
send "$newpassword\r"
expect eof
Solution 2
You do not need root access to use passwd
.
This shoud work just fine.
passwd <<EOF
old password
new password
new password
EOF
Solution 3
You should try pssh (parallel ssh at the same time).
cat>~/ssh-hosts<<EOF
user100@host-foo
user200@host-bar
user848@host-qux
EOF
pssh -h ~/pssh-hosts 'printf "%s\n" old_pass new_pass new_pass | passwd'
Solution 4
Building on squashbuff's example, I tried the following, which worked well for me:
#!/bin/bash for server in `cat hostlist`; do echo $server; ssh username@$server 'passwd <<EOF old_password new_password new_password EOF'; done
Security wise, Could be improved to take input without echoing to the screen OR saving the plaintext to disk.
Solution 5
echo "name:password" | chpasswd
squashbuff
Updated on July 09, 2022Comments
-
squashbuff almost 2 years
We have a number of Red Hat linux servers in our IT environment. I am being asked by my team members to write a script (preferably shell script) to change a user's password on each one of those in a single go, using SSH.
I have tried to find a solution but many of the scripts I found are using Expect. We do not have Expect installed on our servers and the system admins have refused to let us install it. Also, the users do not have root access so
passwd --stdin
orchpasswd
cannot be used.Is there any way a script can be written so that a user can run it and change the password of only his own user on all the servers in a list?
-
squashbuff over 12 yearsThank you Dennis, as per your post, passwd works well once the user is logged on the desired server. However, I have a list of servers stored in a file servers.txt and I would like to run a script, provide old password and new password once, and then the script should change my password on all the servers in that list. Any ideas with that?
-
Dennis over 12 years
ssh user@server 'command to change password'
does just that. -
squashbuff over 12 yearsThank you, I already use the public/private keys for authentication but even with password-less authentication, when the password expires after 2 months (in my case), I still have to log on to each server, use 'passwd', type old password and type new password twice. This is a bit inefficient. That's why I am trying to put together this solution.
-
squashbuff over 12 yearsThanks, this could be a good solution, but again, we do not have pssh on our servers.... :(
-
phatfingers over 12 yearsExcellent. That simplifies matters.
-
Gilles Quenot over 12 yearsYou can run this command on any distro like an Android device, a laptop, your desktop. You just need to install it on client side and just have ssh as server side. I see no problem ;) You can iterate too for simple need with a for loop : for i in foo bar base; do ssh "$i" "command line"; done
-
phatfingers over 12 yearsYou probably have sudo on these servers, right? If you give them sudo rights to a script to change their password, the script could run passwd for their account with the --stdin param.
-
squashbuff over 12 yearsyeah, tried all those things, but I was told that I cannot get sudo for 'passwd'. I have sudo for some other commands but not this one. System guys are draconian... :|
-
squashbuff over 12 yearsThank you Dennis, I have made an edit to my question showing what I have tried. It is still not there yet, but it's a good start. Thank you.. :)
-
squashbuff over 12 yearsInteresting, I will definitely look into it. Thanks :)
-
Gilles Quenot over 12 yearsIf you feel that reply is usefull, you can "upvote" it. If it fits your needs, you should "accept" the reply, that's how stackoverflow works.
-
squashbuff over 12 yearsok, sorry about that. I haven't participated in many questions here, so please bear with me :)
-
Gilles Quenot over 12 yearsI know, that's why I tell you this, no worries ;)
-
squashbuff over 12 yearsThis could be useful for some people. It's the particular way in which the environment is set up that restricts me from using this solution. I cannot access these servers directly from my client machine. I have to log on to a jumphost which has port forwarding disabled. So the script needs to run on that jumphost, which has all these restrictions in place. Thanks for the info though.
-
salva over 12 years@squashbuff: I am currently working on another Perl module Net::OpenSSH::Gateway that allows Net::OpenSSH to jump over gateways transparently, but it is still a work in progress.
-
squashbuff almost 12 yearsThanks Edward, however the infrastructure management has been outsourced and I do not have any say in making those decisions. I have to make this work without making big infrastructure changes. That is not an option.
-
Cristian Ciupitu about 10 yearsThere's no
-p
option for passwd-0.77-4.el6 (Enterprise Linux 6) or passwd-0.79-2.fc20 (Fedora 20). -
Cristian Ciupitu about 10 yearsThe question mentions that
chpasswd
cannot be used. -
Cristian Ciupitu about 10 yearsWon't the passwords be visible if someone runs
ps
? -
Dennis about 10 years@CristianCiupitu: The questions mentions that
passwd --stdin
can't be used because the users don't have root access. My answer explains that this premise is false; root access is not required. -
Matt about 10 yearsTake a look at the 'usermod' program... on CentOS (clone of RHEL) 5.x and 6.x, it supports the -p option. I edited my response to include more detail.
-
Lizz over 9 yearsDid you ever find a way to avoid typing your old password once for each server?
-
squashbuff over 9 years@Lizz I ended up using expect. Not the ideal solution in terms of security but something had to be done quickly. Check out the accepted answer by Randy Katz.
-
Loren about 9 yearsUsing this code, you would want to make this code something like ./passwdWrapper and then in your bash file add ./passwdWrap $user $password $server $newpassword
-
squashbuff almost 9 yearsI am working in the present environment with restrictions already in place. I am not a domain admin and I don't have a say in the architectural changes required to make your solution work. I am putting a solution together for end users like myself working in the same restrictive environment.
-
lobi about 8 yearsWorked great for me. Just to clarify: you must escape ALL $ characters in your encrypted_passwd, not only the first.
-
squashbuff over 7 yearsAs mentioned in the question, users do not have root access. So 'sudo chpasswd' cannot be used. To be honest, if the sysadmin allows users to run 'sudo chpasswd' then it's a big security issue in my opinion.
-
Conrad almost 5 yearsIf it's the first time you connect to this server you might be prompted to verify the fingerprint, to get around this update line 10 from
spawn ssh $serverid passwd
tospawn ssh -o "StrictHostKeyChecking no" $serverid passwd