Home > Utilities And Other Useful Things > Automate remote password changes with BASH and ‘Expect’

Automate remote password changes with BASH and ‘Expect’


I think this topic has been covered, in varying levels, by many people on the internet. Still, I felt like I was bashing my head against the wall trying to figure this out. To prevent head trauma to some other sys admins, I thought I’d post this.

First, some assumptions. Let’s assume you’re a sysadmin, working mainly in a LAMP environment (or at least Linux and MySQL). Let’s also assume you have a reasonable number of hosts, between 5 and 50. You don’t really have the right scale to warrant setting up RADIUS or TACACS authentication systems, but it is a real pain in the ass to reset passwords on a regular basis. Last, let’s assume that for some good reason, you use the same password across many machines, both for the OS and DB authentication. To change all of those passwords, you would have to SSH into each box, run a couple password change commands, and exit each host.

Using BASH and ‘Expect,’ I’ve automated that process. For my experiment, I assumed that I wanted to change OS passwords for users root, oracle, and asm and DB passwords for root and oracle. I provide a list of hosts that are going to be updated in a control file titled ‘password_change_list’ There is a single shell script, ‘change_password’ (to invoke, just cd to the appropriate directory and type ./change_password’).  Instead of taking a bunch of screenshots, I’ve included a quick screencapture of the script in action!

In the demo, I show the contents of the password_change_list control file, 2 hosts – localhost and my dev box. Add more hosts to this file as necessary. I start the script, which first asks you to confirm that you updated the control file. Next it asks for the current password, and then for the new password. The script will then SSH to the first host and run the password change commands, then exit. The script then loops and SSH’s to the next host, and so on (in the demo, you’ll see it fails to log on to my dev box via SSH, incorrect password). Now, since we’re entering passwords to the command line and logging the commands, the passwords will be in clear text. To address that, the script will ask if you want to obfuscate all of the clear text passwords in the log. If you choose no, it will warn you again that the passwords are in clear text. Alternatively, if you leave clear text passwords in the log file, you can run the ‘obfuscate_passwords’ script, provide the new password, and it will replace all instances of the password with asterisks.

Files can be downloaded here (it’s a tar file with no extension).

Obviously, the script will need some tweaking to suit your purpose, but I hope this helps you get started.

Advertisements
  1. shweta
    November 5, 2013 at 03:39

    Hi, your demo seems to suit exactly as my test environment. I am a newbee in bash scripts so i though would like to try running your script in my env and tweak it accordingly. However your download link doesn`t work. Could you please check if the path is correct?
    Thanks

  2. shweta
    November 7, 2013 at 02:01

    Hi Alex,
    The script works fine for the changing password part .. how ever some modification needs to be done in the logging part.
    you have assumed that change_password log directory exists

    #set log_file variable; logs will be stored under /var/log/change_password/day-and-time-run.log
    log_file=”/var/log/change_password/$timestamp.log”

    inmycase when the directory was not present by default the scripts gives the following :

    —————————————xxx———————————————————————-
    root@shweta:# ./change_password
    ———- Welcome to the Password Change Script. Have you edited the password_change_list file? (Y or N):Y
    ———- Enter the CURRENT password and press [Enter] NOTE – The password must be the same for all user account on all servers and databases to work correctly
    ———- Current Password:xyzabc
    ——– Enter the user name for which password needs to be changed and press [Enter]
    ——– Username:root
    ———- Enter a NEW password to be applied to all accounts (OS, DB, RMAN) and press [Enter]
    ———- New Password:abcxyz
    ———- Changing passwords on 1 servers…
    ———- Do not kill the process/command until you see the ‘Goodbye’ message – you will see several ssh connections and password updated successfully messages. Starting in 3 seconds…
    ———- Attempting to connect to server x.x.x.x (1 of 1 servers) and reset password for all accounts…
    couldn’t open “/var/log/change_password/2013-11-07-16:27:20.log”: no such file or directory
    while executing
    “log_file “/var/log/change_password/2013-11-07-16:27:20.log””

    ———- Finished with x.x.x.x!
    ———- Complete! Do you want to clear clear-text passwords from the log files? (Y or N):N
    ———- Log file unmodified. CAUTION – your new password is stored in clear-text the log files!
    *************** Script has completed
    *************** Log can be found at /var/log/change_password/2013-11-07-16:27:20.log
    *************** GOODBYE

    ——————————————-xxx——————————————————————-

    So,
    The except function didnt work as the expect part of the script stopped at not being able to create log, however the finishing part prompts for password cleanup and suggests the logfile when no such file exists.

    1. I have corrected this by adding a line to create a seperate log directory
    as
    mkdir /var/log/change_password;

    the scripts works fine for the expect part and chanegs the password in the remote server.

    However I have confused with the obfuscate password part:
    below is my logfile

    ———————————————xxxx————————————————————–
    spawn ssh root@x.x.x.x
    Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic x86_64)

    * Documentation: https://help.ubuntu.com/

    System information as of Thu Nov 7 16:30:21 JST 2013

    System load: 0.1 Processes: 234
    Usage of /: 91.3% of 182.92GB Users logged in: 1
    Memory usage: 82% IP address for virbr0: 192.168.122.1
    Swap usage: 0% IP address for br0: 10.129.0.184

    => / is using 91.3% of 182.92GB

    Graph this data and manage this system at https://landscape.canonical.com/

    181 packages can be updated.
    88 updates are security updates.

    Last login: Thu Nov 7 16:24:11 2013 from 10.129.x.x^M
    ESC]0;root@ubuntu: ~^Groot@ubuntu:~# passwd root
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully
    ESC]0;root@ubuntu: ~^Groot@ubuntu:~#
    ———- No errors while changing passwords on x.x.x.x
    (END)

    ———————————————xxxx————————————————————–
    As you can see my the log file doesnt contain the clear text password at all.. as it is just logging the stdout part .. So I wanted to know if the obfuscate part is even needed or not.
    Is this the normal log we are suppose to get?

    Thanks
    Shweta

    • November 20, 2013 at 18:22

      Hey shweta –

      I re-purposed this script from a different use case, where I was actually resetting Oracle DB credentials that did show up in the log file. If you are not seeing your password string show up anywhere in the log file, feel free to get rid of the obfuscation functionality.

      Again, thanks for the comment, always appreciate the feedback.

      Alex

  1. No trackbacks yet.

Care to share your two cents?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: