Solved

passwd and expect

Posted on 2000-03-07
27
960 Views
Last Modified: 2013-12-27
jlevie...

Thanks for all your help....

I have a couple of more questions until my expect book gets in...

I am using the same passwd.cgi that comes with expect.  I am running on a Solaris 5.7 machine.

I have to change the following line:

spawn /bin/su $var(name) -c "/bin/yppasswd $var(name)"

to

spawn /bin/su $var(name) -c "/bin/passwd $var(name)"

to get the script to start working.

However, I am getting the following response in my browser.

Passwd Change Acknowledgment
Error: Password:

Do you have any ideas...??

Thanks again...
0
Comment
Question by:afpcos
  • 14
  • 10
  • 2
  • +1
27 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 2593155
I'm looking at it...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2593207
I found it. Which version of expect do you have? I'm looking at 5.31 and I can post the change if we're both using the same version.
0
 
LVL 2

Author Comment

by:afpcos
ID: 2593238
Yes.. I am using 5.31...
0
 
LVL 2

Author Comment

by:afpcos
ID: 2593263
Yes.. I am using 5.31...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2593313
Okay, I'll put the change up in a bit.
0
 
LVL 2

Author Comment

by:afpcos
ID: 2595863
jlevie...

Good morning....

Were you going to post the change here or on the expect web site.

Thanks...!!!
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2595909
It'll be here, I ran out of time last night and didn't get to test it as a cgi... very soon, I promise...
0
 
LVL 2

Author Comment

by:afpcos
ID: 2595968
Thanks...

I just wanted to make sure I was looking in the right place...

See ya
0
 
LVL 2

Author Comment

by:afpcos
ID: 2596010
Thanks...

I just wanted to make sure I was looking in the right place...

See ya
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2597386
Okay, here tis. Replace the expect code in passwd.cgi with what follows.

---Snip, Snip..---
# Change following line appropriately for your site.
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd.
spawn /bin/su $var(name) -c "/bin/passwd -r files $var(name)"

expect {
    "Unknown login:" {
      errormsg "unknown user: $var(name)"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } "Password:"
}
send "$var(old)\r"
expect {
    "unknown user" {
      errormsg "unknown user: $var(name)"
      exit
    } "Sorry" {
      errormsg "Old password incorrect"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } -re "(New P|Enter login p)assword:"
}
send "$var(old)\r"
expect {
    default {
      errormsg "$expect_out(buffer)"
    } "New password:"
}
send "$var(new1)\r"
expect -re "(N|Re-enter n)ew password:"
send "$var(new2)\r"
expect -re (.*)\r\n {
      set error $expect_out(1,string)
}
close
wait
0
 
LVL 2

Author Comment

by:afpcos
ID: 2597845
jlevie...

I made the changes you suggested.

The script seems to be executing all the way through the code now.

However, the password is not being changes.

Unless you have any other ideas, I guess I will have to wait for the book.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2598716
Are you using files, NIS, or NIS+?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2599687
(keep me informed;-)
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Author Comment

by:afpcos
ID: 2600019
I am using files.

I think I have narrowed it down.

After this line:

expect -re (.*)\r\n {
set error $expect_out(1,string)
}

I had to type:

wait
expect eof

For it to work.

However, the code you suggested cut out the last display that tells the user if there was an error or if it was successfull.  I need this for the users.

When I add that back in between the wait and the expect eof, it still changes the password, but it does not display the message.

I am still working on this.

If you have a solution in the next day or so I will increase your points and accept the answer.  If not,  in a couple of days...I will accept the answer as is because it was a very good lead to the answer.

Again...Thank you!!!

I am new to Unix and expect...you were a great help.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2600435
Do you have these lines:

if {[info exists error]} {
        errormsg "$error"
} else {
        successmsg "Password changed successfully."
}

after the code I sent? There were in the original and are responsible for the displaying the last error or the success message.
0
 
LVL 2

Author Comment

by:afpcos
ID: 2600618
Yes...

It looks like the problem is that even when the password is changed, it is going through the first part of the last if and displaying

Error:

I tried displaying the error variable prior to going into the if statement and it is null.

It should be going through the else statement and displaying "Password changed successfully.".
0
 
LVL 2

Author Comment

by:afpcos
ID: 2600658
Yes...

It looks like the problem is that even when the password is changed, it is going through the first part of the last if and displaying

Error:

I tried displaying the error variable prior to going into the if statement and it is null.

It should be going through the else statement and displaying "Password changed successfully.".
0
 
LVL 2

Author Comment

by:afpcos
ID: 2600700
Yes...

It looks like the problem is that even when the password is changed, it is going through the first part of the last if and displaying

Error:

I tried displaying the error variable prior to going into the if statement and it is null.

It should be going through the else statement and displaying "Password changed successfully.".
0
 
LVL 2

Author Comment

by:afpcos
ID: 2600716
jlevie...

Just received my book.

This is what I did to make it work for me.

wait -nowait

if [llength $error]>0 {
        errormsg "$error"
} else {
        successmsg "Password changed successfully."
}

expect eof

I changed the wait to wait -nowait because
where the user did not type the second new password correctly it took forever for the error message to come back.

I also read about if statements and changed it to [llength $error]>0.

I am new at this, so unless you see anything here with these changes that I could improve on or will have problems with, I will accept your answer.

Thanks...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2600972
I don't think the "wait -nowait" is the solution. That, "causes the wait to return immediately with the indication of a successful wait".

Let me look at something else, I just found what might be a slight variation in the behaviour of "passwd" (when presented with an invalid second password) depending on what patches are installed. I think I need a more general closure section.   Shortly...
0
 
LVL 5

Expert Comment

by:paulqna
ID: 2606400
Is this what you mean...:

#!/usr/local/bin/expect --

spawn /usr/bin/passwd $1
expect "New password:"
send "$2\r"
expect "Re-enter password:"
send "$2\r"
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2607175
I've made some progess. Interestingly, I've found lots of ways to get it to fail amoung my 2.6, 2.7, & 2.8 systems. I think I've pretty well sorted out and accounted for the differences, but I'd like to do one last round of tests before I post the results. Say tomorrow as it's late and the regression test takes a while to work through all the ways I know it can fail.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 2607546
try a
  sleep 1
as last command in your expect script
0
 
LVL 2

Author Comment

by:afpcos
ID: 2607741
jlevie....

I will await your post.

Again thank you for your help.

My experience is in Visual Basic, Access, and Informix database.

Maybe some dat I can return the favor.

Have a nice weekend.  

I will check back on Monday...
0
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
ID: 2607872
I think I've got it now, at least I can't find a way to cause it to fail in "playtoy mode". A replacement passwd.cgi follows. Below that is a "playtoy" that can be run from the command line to check out the expect script without having to go through a web server.

---snip,snip - begin passwd.cgi---
#!/depot/path/expect --

# This is a CGI script to process requests created by the accompanying
# passwd.html form.  This script is pretty basic, although it is
# reasonably robust.  (Purposely intent users can make the script bomb
# by mocking up their own HTML form, however they can't expose or steal
# passwords or otherwise open any security holes.)  This script doesn't
# need any special permissions.  The usual (ownership nobody) is fine.
#
# With a little more code, the script can do much more exotic things -
# for example, you could have the script:
#
# - telnet to another host first (useful if you run CGI scripts on a
#   firewall), or
#
# - change passwords on multiple password server hosts, or
#
# - verify that passwords aren't in the dictionary, or
#
# - verify that passwords are at least 8 chars long and have at least 2
#   digits, 2 uppercase, 2 lowercase, or whatever restrictions you like,
#   or
#
# - allow short passwords by responding appropriately to passwd
#
# and so on.  Have fun!
#
# Don Libes, NIST

puts "Content-type: text/html\n"      ;# note extra newline

puts "
<head>
<title>Passwd Change Acknowledgment</title>
</head>

<h2>Passwd Change Acknowledgment</h2>
"

proc cgi2ascii {buf} {
    regsub -all {\+} $buf { } buf
    regsub -all {([\\["$])} $buf {\\\1} buf
    regsub -all -nocase "%0d%0a" $buf "\n" buf
    regsub -all -nocase {%([a-f0-9][a-f0-9])} $buf {[format %c 0x\1]} buf
    eval return \"$buf\"
}

foreach pair [split [read stdin $env(CONTENT_LENGTH)] &] {
      regexp (.*)=(.*) $pair dummy varname val
      set val [cgi2ascii $val]
      set var($varname) $val
}

log_user 0

proc errormsg {s} {puts "<h3>Error: $s</h3>"}
proc successmsg {s} {puts "<h3>$s</h3>"}

# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user.  Seems rather pointless since it's
# so easy to satisfy, eh?
#
# Change following appropriately for your site.
#
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd.  Linux
# has passwd in a different location and doesn't need the
# service specification. (Note that I no longer have anything
# earlier than 2.6 to test with, you've been warned... there be
# dragons here).
#
# BIG NOTE!!! Linux has to have the "sleep 1" between each of
# the "expect/send" pairs. It puts out the prompt before it's actually
# ready to take input. You can comment them out for Solaris, but
# it doesn't hurt for them to be there and might be a plus
# busy server. (there be really big dragons here...)
#

spawn /bin/su $var(name) -c "/bin/passwd -r files $var(name)"
#spawn /bin/su $var(name) -c "/usr/bin/passwd"

sleep 1
expect {
    "Unknown (login|id):" {
      errormsg "unknown user: $var(name)"
      exit
    } -re "(.*) does not exist" {
      errormsg "unknown user: $var(name)"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } "Password:"
}
send "$var(old)\r"
sleep 1
expect {
    "Sorry" {
      errormsg "Old password incorrect"
      exit
    } "incorrect passwd" {
      errormsg "Old password incorrect"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } -re "(.*)(login|UNIX) password:"
}
send "$var(old)\r"
sleep 1
expect {
    "Sorry" {
      errormsg "Old password incorrect"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } -re "New (.*)password:"
}
send "$var(new1)\r"
sleep 1
expect {
    -re "passwd.SYSTEM.(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } -re "BAD(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } default {
      errormsg "Unknown error from passwd"
      exit
    } -re "Re(.*) password:"
}
send "$var(new2)\r"
sleep 1
expect {
    -re "passwd(.*) try again" {
      errormsg "$expect_out(buffer)"
      exit
    } -re "Sorry,(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } default {
      errormsg "Unknown error from passwd"
      exit
    } -re "(.*) successfully changed (.*)" {
      successmsg "Password successfully changed"
      exit
    } -re "(.*) updated successfully" {
      successmsg "Successfully updated password"
      exit
    }
}
close
wait

---snip,snip - begin playtoy ---
#!/usr/local/bin/expect --

set var(name) gork
set var(old) passpass
set var(new1) @SU5nfYt
set var(new2) @SU5nfYt

proc errormsg {s} {send_error "!!$s!!"}
proc successmsg {s} {send_error "<$s>"}

#
# This is a playtoy for testing the passwd.cgi script without actually
# having to use a web server. The tcl code above fills in the variables
# that the cgi would have and redirects the output to our terminal.
# Everything below can be simply pasted over the expect script
# portion of passwd.cgi.

# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user.  Seems rather pointless since it's
# so easy to satisfy, eh?

# Change following appropriately for your site.
#
# Solaris 2.6 & later needs the -r option to specify which
# password service (files, nis, nisplus) see man passwd.  Linux
# has passwd in a different location and doesn't need the
# service specification. (Note that I no longer have anything
# earlier than 2.6 to test with, you've been warned... there be
# dragons here).
#
# BIG NOTE!!! Linux has to have the "sleep 1" between each of
# the "expect/send" pairs. It puts out the prompt before it's actually
# ready to take input. You can comment them out for Solaris, but
# it doesn't hurt for them to be there and might be a plus
# busy server. (there be really big dragons here...)
#

spawn /bin/su $var(name) -c "/bin/passwd -r files $var(name)"
#spawn /bin/su $var(name) -c "/usr/bin/passwd"

sleep 1
expect {
    "Unknown (login|id):" {
      errormsg "unknown user: $var(name)"
      exit
    } -re "(.*) does not exist" {
      errormsg "unknown user: $var(name)"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } "Password:"
}
send "$var(old)\r"
sleep 1
expect {
    "Sorry" {
      errormsg "Old password incorrect"
      exit
    } "incorrect passwd" {
      errormsg "Old password incorrect"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } -re "(.*)(login|UNIX) password:"
}
send "$var(old)\r"
sleep 1
expect {
    "Sorry" {
      errormsg "Old password incorrect"
      exit
    } default {
      errormsg "$expect_out(buffer)"
      exit
    } -re "New (.*)password:"
}
send "$var(new1)\r"
sleep 1
expect {
    -re "passwd.SYSTEM.(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } -re "BAD(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } default {
      errormsg "Unknown error from passwd"
      exit
    } -re "Re(.*) password:"
}
send "$var(new2)\r"
sleep 1
expect {
    -re "passwd(.*) try again" {
      errormsg "$expect_out(buffer)"
      exit
    } -re "Sorry,(.*)" {
      errormsg "$expect_out(buffer)"
      exit
    } default {
      errormsg "Unknown error from passwd"
      exit
    } -re "(.*) successfully changed (.*)" {
      successmsg "Password successfully changed"
      exit
    } -re "(.*) updated successfully" {
      successmsg "Successfully updated password"
      exit
    }
}
close
wait

0
 
LVL 2

Author Comment

by:afpcos
ID: 2635848
Adjusted points from 50 to 100
0
 
LVL 2

Author Comment

by:afpcos
ID: 2635849
jlevie...

Sorry it took me so long to accept your answer.

I was tied up in another project.

Thanks again!!!

afpcos....
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now