topic Re: Changing multiple passwords in Operating System - HP-UX

Changing multiple passwords

Terrence — Wed, 23 Jan 2002 21:48:20 GMT

I need to batch change 500 passwords. I have the user id's and passwords in a spreadsheet, but my humble scripting abilities are for naught. (I'm fraught with naught). Suggestions?

Re: Changing multiple passwords

Rodney Hills — Wed, 23 Jan 2002 21:58:35 GMT

If you don't have a trusted system, then you can edit the /etc/passwd file directly.

I've attached a c program when given a password as an argument on the command line, will display the encrypted form suitable to be placed in /etc/passwd.

I would copy the list of userid's and passwords to a text file and use shell or perl to drive the "c" program and to do the necessary "editting" on /etc/passwd.

-- Rod Hills

Re: Changing multiple passwords

Sridhar Bhaskarla — Wed, 23 Jan 2002 22:31:38 GMT

Hi Terry,

You can use /usr/lbin/makekey to create encrypted passwords. For ex., if you want to create an encrypted word for the string "test1234", you would do it like this

echo "test1234te" |/usr/lbin/makekey

This will generate an encrypted word that can be used as the second field in the /etc/passwd file on non-trusted systems.

The last two characters "te" after the password test1234 are collectively called "salt". You need to pick a random salt for each user. Probably you can get it by taking the 2 and 3rd characters using the cut command.

You would use awk to get the user name and the regular password from your file, get the salt from the user name and encrypted password using makekey. Then you need to get the password line from /etc/passwd for the corresponding user and replace the second field with the encrypted password. You need to use a combination of awk and sed with it.

Hope this will give you some direction.

There is also another way. Use the software "expect". But that would be too much. You need to install it with dependencies and then write expect scripts. You can get expect from the HP's distribution site.

-Sri

Re: Changing multiple passwords

Sridhar Bhaskarla — Wed, 23 Jan 2002 22:35:39 GMT

...forgot one more thing.. make sure the string you supply to makekey is of 10 char length including salt. For ex., if your password is only of 6 char length say test12, then you would do the following,

echo "test12\0\0te" |/usr/lbin/makekey

-Sri

Re: Changing multiple passwords

Terrence — Thu, 24 Jan 2002 15:37:48 GMT

Thanks guys, but I was really looking for a piece of script that would automatically enter in each user id using the password command and then the script would feed in the password. Since I have the user accounts and passwords in a text file I wanted to automate what I usually do manually since there are so many.

Re: Changing multiple passwords

Steven Sim Kok Leong — Thu, 24 Jan 2002 15:52:04 GMT

Hi,

I believe Sridhar has already given you the solution
1) how to generate the encrypted password from the cleartext password
2) how to write a script to replace the password field in /etc/passwd ith the encrypted password.

Your script can go along ehse lines. Assuming a data file containing "userid:passwd" in each row and assuming that you are not using trusted HP-UX (which uses shadowed password file), then you can write something like this:

NOTE: This is off my head. You must use a sample passwd file to test this on.

======================================
#!/sbin/sh

uid=1000 # Starting uid
for line in `cat accounts.txt` # accounts.txt contains userid:passwd entries
do
user=`echo $line|cut -d: -f1`
passwd=`echo $line|cut -d: -f2`
encrypted=`echo $passwd|makekey # use Sridhar's method
if ! grep "^$user:" /etc/passwd
then
echo $user:$encrypted:$uid:20:$user account:/home/$user:/usr/bin/ksh >> /etc/passwd
uid=`expr $uid+1`
else
newline=`grep "^$user:" /etc/passwd | awk '{print $1":"$encrypted":"$2":"$3":"$4":"$5":"$6":"$7}'`
grep -v "^user:" > /tmp/passwd.tem
echo $newline >> /tmp/passwd.tem
mv -f /tmp/passwd.tem /etc/passwd
fi
done
======================================

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Changing multiple passwords

Sridhar Bhaskarla — Thu, 24 Jan 2002 16:17:09 GMT

Hi Terry,

You can use Steven's script. But there are few precautions to take. You need to use a salt to encrypt a password. The password should be of eight chars long if not you need to use the solution in my second post. Embed these lines in his script.

...
passwd=`echo $line|cut -d: -f2`
salt=`echo $passwd|cut -c 3-4`
encrypted=`echo "${passwd}${salt}" |/usr/lbin/makekey`
...

I wouldn't mv /tmp/passwd.tem to /etc/passwd through the script. Prepare /tmp/pass.tem. Copy /etc/passwd as /etc/passwd.sav. Edit /etc/passwd and delete all the users entries leaving the root and other system default entries. Then you can append /tmp/pass.tmp to /etc/passwd. If something is not working, you can always login as root and revert back to /etc/passwd.sav.

I would recommend to build the script on your own using the methods given in the forums. Because none of the scripts given in these forums are supported.

-Sri

Re: Changing multiple passwords

Terrence — Thu, 24 Jan 2002 16:41:55 GMT

Well if you're going to spell it out for me, even I can understand it. My only remaining concern is that the script increments the user id by 1, and assigns a new number. I'm changing passwords on existing accounts, so I don't necessarily need to assign new user id's (though I can it's not critical), but I do need to overwrite the existing entry in the password file with the new password. Sorry for my ignorance but the >> to the password file will overwrite the correct entry? These accounts are not contiguous and are a small subset of a password file with 4000 accounts.

Re: Changing multiple passwords

Steven Sim Kok Leong — Thu, 24 Jan 2002 16:49:16 GMT

Hi,

This else portion of the script takes care of that:

newline=`grep "^$user:" /etc/passwd | awk '{print $1":"$encrypted":"$2":"$3":"$4":"$5":"$6":"$7}'` # creates a line containing the original fields but with the encrypted password substituted
grep -v "^user:" > /tmp/passwd.tem # creates a temporary passwd file with all existing entries except the line containing the user to be modified
echo $newline >> /tmp/passwd.tem # inserts the line containing the original fields but with the encrypted password substituted into the temporary password file
mv -f /tmp/passwd.tem /etc/passwd # overwrites the actual password file with the temporary password file

uids need not be in numerically ascending order in the password file.

As Sridhar has pointed out, it is safer for you to create a passwd.sav, check through all the entries generated in it, make a backup of the existing /etc/passwd before overwriting it with a copy from passwd.sav.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Changing multiple passwords

Terrence — Thu, 24 Jan 2002 17:30:25 GMT

Brilliant! I completely misread the else statement, I thought it was a fail-safe in case the account didn't already exist. Thanks for all the help, you guys just saved me from carpal tunnel.

Re: Changing multiple passwords

Sridhar Bhaskarla — Thu, 24 Jan 2002 17:38:24 GMT

Re: Changing multiple passwords

Rod McLean — Fri, 24 May 2002 07:52:19 GMT

Terry,

If you're on a trusted system using HP-UX 11 you can use the command:
/usr/sam/lbin/usermod.sam -p`echo "aaaa1111te" |/usr/lbin/makekey` smithj
to set the password for smithj to aaaa1111. This is probably safer than fiddling /etc/passwd directly even for a non trusted system

Rod