HPE Community
Operating System - HP-UX
1753519 Members
3778 Online
108795 Solutions
New Discussion юеВ

Changing multiple passwords

 
SOLVED
Go to solution
Terrence
Regular Advisor

тАО01-23-2002 01:48 PM

тАО01-23-2002 01:48 PM

Changing multiple passwords

I need to batch change 500 passwords. I have the user id's and passwords in a spreadsheet, but my humble scripting abilities are for naught. (I'm fraught with naught). Suggestions?
0 Kudos
Reply
11 REPLIES 11
Rodney Hills
Honored Contributor

тАО01-23-2002 01:58 PM

тАО01-23-2002 01:58 PM

Re: Changing multiple passwords

If you don't have a trusted system, then you can edit the /etc/passwd file directly.

I've attached a c program when given a password as an argument on the command line, will display the encrypted form suitable to be placed in /etc/passwd.

I would copy the list of userid's and passwords to a text file and use shell or perl to drive the "c" program and to do the necessary "editting" on /etc/passwd.

-- Rod Hills
There be dragons...
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО01-23-2002 02:31 PM

тАО01-23-2002 02:31 PM

Re: Changing multiple passwords

Hi Terry,

You can use /usr/lbin/makekey to create encrypted passwords. For ex., if you want to create an encrypted word for the string "test1234", you would do it like this

echo "test1234te" |/usr/lbin/makekey

This will generate an encrypted word that can be used as the second field in the /etc/passwd file on non-trusted systems.

The last two characters "te" after the password test1234 are collectively called "salt". You need to pick a random salt for each user. Probably you can get it by taking the 2 and 3rd characters using the cut command.

You would use awk to get the user name and the regular password from your file, get the salt from the user name and encrypted password using makekey. Then you need to get the password line from /etc/passwd for the corresponding user and replace the second field with the encrypted password. You need to use a combination of awk and sed with it.

Hope this will give you some direction.

There is also another way. Use the software "expect". But that would be too much. You need to install it with dependencies and then write expect scripts. You can get expect from the HP's distribution site.


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО01-23-2002 02:35 PM

тАО01-23-2002 02:35 PM

Re: Changing multiple passwords

...forgot one more thing.. make sure the string you supply to makekey is of 10 char length including salt. For ex., if your password is only of 6 char length say test12, then you would do the following,

echo "test12\0\0te" |/usr/lbin/makekey


-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Terrence
Regular Advisor

тАО01-24-2002 07:37 AM

тАО01-24-2002 07:37 AM

Re: Changing multiple passwords

Thanks guys, but I was really looking for a piece of script that would automatically enter in each user id using the password command and then the script would feed in the password. Since I have the user accounts and passwords in a text file I wanted to automate what I usually do manually since there are so many.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО01-24-2002 07:52 AM

тАО01-24-2002 07:52 AM

Solution

Re: Changing multiple passwords

Hi,

I believe Sridhar has already given you the solution
1) how to generate the encrypted password from the cleartext password
2) how to write a script to replace the password field in /etc/passwd ith the encrypted password.

Your script can go along ehse lines. Assuming a data file containing "userid:passwd" in each row and assuming that you are not using trusted HP-UX (which uses shadowed password file), then you can write something like this:

NOTE: This is off my head. You must use a sample passwd file to test this on.

======================================
#!/sbin/sh

uid=1000 # Starting uid
for line in `cat accounts.txt` # accounts.txt contains userid:passwd entries
do
user=`echo $line|cut -d: -f1`
passwd=`echo $line|cut -d: -f2`
encrypted=`echo $passwd|makekey # use Sridhar's method
if ! grep "^$user:" /etc/passwd
then
echo $user:$encrypted:$uid:20:$user account:/home/$user:/usr/bin/ksh >> /etc/passwd
uid=`expr $uid+1`
else
newline=`grep "^$user:" /etc/passwd | awk '{print $1":"$encrypted":"$2":"$3":"$4":"$5":"$6":"$7}'`
grep -v "^user:" > /tmp/passwd.tem
echo $newline >> /tmp/passwd.tem
mv -f /tmp/passwd.tem /etc/passwd
fi
done
======================================

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Sridhar Bhaskarla
Honored Contributor

тАО01-24-2002 08:17 AM

тАО01-24-2002 08:17 AM

Re: Changing multiple passwords

Hi Terry,

You can use Steven's script. But there are few precautions to take. You need to use a salt to encrypt a password. The password should be of eight chars long if not you need to use the solution in my second post. Embed these lines in his script.

...
passwd=`echo $line|cut -d: -f2`
salt=`echo $passwd|cut -c 3-4`
encrypted=`echo "${passwd}${salt}" |/usr/lbin/makekey`
...



I wouldn't mv /tmp/passwd.tem to /etc/passwd through the script. Prepare /tmp/pass.tem. Copy /etc/passwd as /etc/passwd.sav. Edit /etc/passwd and delete all the users entries leaving the root and other system default entries. Then you can append /tmp/pass.tmp to /etc/passwd. If something is not working, you can always login as root and revert back to /etc/passwd.sav.

I would recommend to build the script on your own using the methods given in the forums. Because none of the scripts given in these forums are supported.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Reply
Terrence
Regular Advisor

тАО01-24-2002 08:41 AM

тАО01-24-2002 08:41 AM

Re: Changing multiple passwords

Well if you're going to spell it out for me, even I can understand it. My only remaining concern is that the script increments the user id by 1, and assigns a new number. I'm changing passwords on existing accounts, so I don't necessarily need to assign new user id's (though I can it's not critical), but I do need to overwrite the existing entry in the password file with the new password. Sorry for my ignorance but the >> to the password file will overwrite the correct entry? These accounts are not contiguous and are a small subset of a password file with 4000 accounts.
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

тАО01-24-2002 08:49 AM

тАО01-24-2002 08:49 AM

Re: Changing multiple passwords

Hi,

This else portion of the script takes care of that:

newline=`grep "^$user:" /etc/passwd | awk '{print $1":"$encrypted":"$2":"$3":"$4":"$5":"$6":"$7}'` # creates a line containing the original fields but with the encrypted password substituted
grep -v "^user:" > /tmp/passwd.tem # creates a temporary passwd file with all existing entries except the line containing the user to be modified
echo $newline >> /tmp/passwd.tem # inserts the line containing the original fields but with the encrypted password substituted into the temporary password file
mv -f /tmp/passwd.tem /etc/passwd # overwrites the actual password file with the temporary password file

uids need not be in numerically ascending order in the password file.

As Sridhar has pointed out, it is safer for you to create a passwd.sav, check through all the entries generated in it, make a backup of the existing /etc/passwd before overwriting it with a copy from passwd.sav.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Terrence
Regular Advisor

тАО01-24-2002 09:30 AM

тАО01-24-2002 09:30 AM

Re: Changing multiple passwords

Brilliant! I completely misread the else statement, I thought it was a fail-safe in case the account didn't already exist. Thanks for all the help, you guys just saved me from carpal tunnel.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.