• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7317
  • Last Modified:

Problems changing password over ssh (Unexpected failure. Password file/table unchanged)

I am receiving an error message when attempting password changes from Cygwin/expect over ssh to Solaris.  This is the error message

          Unexpected failure. Password file/table unchanged.

The error message is also issued when I execute:

   ssh -l myname myserver.mydomain.com passwd

I've reviewed other postings here and searched Sun's website and found reference to an issue that gives the identical error message but I believe it is unrelated.  The issue that I saw is titled, "On Solaris Systems, Users May Not be Able to Change Their Password or Password Attributes Using the passwd(1) Command" which is document ID: 57592.  This led me to check the configuration for passwd in the /etc/nsswitch.conf and I can see that this is a different issue because my /etc/nsswitch.conf says:

passwd:     files

which is not consistent with what Sun is describing in their document.


I believe that the issue has something to do with using "ssh" and sending the remote passwd command on Solaris.  I tried this on another system (linux) with "expect"  as a proof-of-concept.  I have created an "expect" script that connects to my account on my personal linux server over ssh and changes my password successfully.  

QUESTIONS
  1) Please help me understand why the passwd command is complaining when executed remotely?  
  2) Please also help me to figure out a workaround so that I can script password changes using "expect" from a password server.

Regards,
Jeff
0
jeffr
Asked:
jeffr
  • 10
  • 8
  • 3
  • +2
1 Solution
 
neteducationCommented:
>> 1) Please help me understand why the passwd command is complaining when executed remotely?  
 
The Passwd command is not using stdin to get the password, but it tries to read directly from the underlying tty. While expect can handle this locally it can't allways handle it over the net.

>>  2) Please also help me to figure out a workaround so that I can script password changes using "expect" from a password server.

Direct workaround would be to have a script where you pass over the encrypted password hash as it is in /etc/shadow and this script then puts it into the shadow file of the remote machine.

However instead of trying to sync the passwords like this I'd rather go for a nameservice. If you have some time to spare, then use LDAP as it will almost certainly be THE nameserverice of the future. If you want to keep it simple for the beginning use NIS (which is old fashioned, but easier to implement... but then when you want to switch later on you have double work)

0
 
jeffrAuthor Commented:
Hi neteducation,

For further clarification,  I thought that ssh would provide the required tty that passwd requires -- I assume that is why it works on my linux server?  And I was happy when linux allowed me to use expect to negotiate over ssh with the prompts supplied by passwd.  So I'm still am unclear as to why Solaris is behaving differently?

As for the workaround, I am not a sysadmin, but instead a database admin and thus don't have root privs.  We have database accounts throughout the enterprise that we want to sync passwords on and that is why I'm working with expect.

Further, I like the LDAP suggestion, but again, I don't have authority to pursue that either.

Regards,
Jeff
0
 
tfewsterCommented:
Have you tried seperating the login and password change steps? e.g.
ssh -l myname myserver.mydomain.com  # and supply login password via expect
passwd  # and supply the new password via expect
exit
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
jeffrAuthor Commented:
There is no "login" actually because I'm using a pre-authorized account via ssh.  Therefore there are no prompts for login or password.  Ssh just lets my commands go straight through to the shell.  Therefore, "expect" is only managing the password change.
0
 
neteducationCommented:
how about if you put the expect-script onto your solaris-box and run

ssh -l myname myserver.mydomain.com passwd-change-except-script

??

0
 
tfewsterCommented:
>  There is no "login" actually

Understood, but did you try my suggestion? As neteducation said, "ssh passwd" will run into problems with working out what stdin is, whereas running ssh with no command will start a normal shell and `expect` can then be used to look for the prompts and respond appropriately.
0
 
jeffrAuthor Commented:
I am planning to ask our operations group if they are willing to install "expect" on the Solaris boxes but there are literally hundreds of them.  I'm hoping to gain an understanding why Solaris is not behaving the same way as linux in this regard.  Is it a Solaris configuration parameter?  

It seems unlikely, but I was hopeful to not have to install "expect" on every server which is why the linux testing results with "expect" seemed great and would save us lots of time and money if it worked on Solaris.  It's disappointing if this cannot be done but I'll award the points for pointing me to a solution anyway.

Again, I just hope for some more understanding about the inner workings of why Solaris is giving different results from Linux.

Thanks!
Jeff
0
 
yuzhCommented:
To check if the passwd command work on your Solaris box, ssh to the Solaris box,
at shell prompt, type in:

passwd

If you have problem, please post the error message, and the output of:

grep -i passwd /etc/nsswitch.conf

"expect" is an add-on package for Solaris, you can get it from (ask you sys adm to do it):
 http://sunfreeware.com/

As most of the sys adm use their own customized install for Software package, you need
to ask your syst adm, where expect is installed and modify the firstline of your expect
script. eg, install in /usr/local, you need to:

#!/usr/local/bin/expect -f

some time the adm guy might pot it under /opt!

BTW, the command syntax for passwd is vary between Solaris and Linux, do a "man passwd" in both system to find out more details.

0
 
jeffrAuthor Commented:
These may be acceptable workarounds but I don't think that my original question has been answered.  I'm still not clear as to why ssh is not sufficient for simulating a tty for the password command to work properly?  After all, it works when I invoke the shell and type the passwd command.  And the linux passwd command has the same tty restriction and the passwd command does not fail on linux over ssh.  I understand the explanation about passwd requiring a tty and that is why I used "expect" to begin with -- because my prior attempts to just create a ksh file to change passwords failed on the target server and that is why "expect" is required.

As for the recommended workarounds:
Installing "expect" on the target server was something I wanted to avoid and was gratified to find it worked over ssh on linux but disappointed when the same scenario failed on Solaris.  However, I imagined as a fallback that installing "expect" on the target server might be required because I had already checked a few of the target servers and the "expect" command is not anyplace on the system that I have access to (I searched the entire system with the find command).  I will probably have no choice but to pursue installing "expect" on all target servers.  But I would feel much better requesting this if I was certain that it would solve my problem.

Can I install the "expect" utility for solaris in my local directory for testing as a proof-of-concept before getting the sysadmins involved?  As I mentioned before, I am not a sysadmin so I won't have access to do a standard install to /usr/local/bin or wherever.  If I can install it locally and confirm the functionality then I'll start filling out paperwork to get that software installed.

Back to my original question:
I hate to belabor it but I don't think that I've received an answer to my question about why passwd doesn't see the ssh command as coming from a tty on Solaris when I invoke passwd on the command line versus in an ssh connection/shell?  That same constraint exists on linux but the passwd command works over ssh with expect.
0
 
yuzhCommented:
You can use expect to handle password over a ssh connetion in Solaris (I have used it
for a few years!).

There might be a problem with your expect script, the "expect" message has to be
EXACT match the screen output from the remote box.  you can use:

autoexpect to create another script to login to your Solaris box, eg

autoexpect -p ssh myname@myserver.mydomain.com  passwd

then modify the script.

0
 
jeffrAuthor Commented:
This would be great if the passwd command didn't issue the error that I mentioned at the top of this chain.  I'll repeat it here.

         Unexpected failure. Password file/table unchanged.

Once I can get past this error message to interact with the passwd command then I'll refine the script if need be.  There must be a Solaris option that is turned off/on that is prohibiting execution of the passwd command in the manner that I am doing it.  Is it possible that the system somehow knows that passwd is being invoked on the command-line across an ssh connection and blocks it?  Is this being done deliberately by a system admin configuration?  I've found no other mention of this in my searches but I'm hoping that the experts here can bring closure to this question.

Thanks!
Jeff
0
 
jeffrAuthor Commented:
I've checked this on another server in our environment and I'm receiving the same error, "Unexpected failure. Password file/table unchanged."

What is it about the Sun configuration that won't allow the passwd commadn to be executed in this fashion?  Am I mistaken that ssh will look like a tty?  Does passwd on Solaris also require some other evidence that I'm logged in like a utmp entry?

Cheers!
Jeff
0
 
neteducationCommented:
can you post your expect script here... maybe there is something wrong about it....

0
 
jeffrAuthor Commented:
Sure.  but i can reproduce the problem with expect and without.   Here is the script:

set oldPassword ""
set newPassword ""
proc pReadPasswordFile { passFileName } {
        global oldPassword newPassword
        set fhandle [open $passFileName r]
        gets $fhandle oldPassword
        gets $fhandle newPassword
        close $fhandle
}
set servername [lindex $argv 0]
set username [lindex $argv 1]
pReadPasswordFile [lindex $argv 2]
spawn ssh -l $username $servername ~/mypw
expect "password:"
send "$oldPassword\r"
expect "password:"
send "$newPassword\r"
expect "password:"
send "$newPassword\r"
expect eof

#Passwords are read from a file and set as global variables.

Cheers!
Jeff
0
 
neteducationCommented:
The passwd-command (on my solaris 9) gives the following Output:

$ passwd
passwd: Changing password for frank
Enter existing login password:
New Password:
Re-enter new Password:
passwd: password successfully changed for frank

So your first except should be for "login password", so that the old password is not already sent when getting the info "passwd: Changing password for frank"
Your second and third expect should be for "Password" (Capital P)
0
 
neteducationCommented:
oh, yes one more thing....

>> Sure.  but i can reproduce the problem with expect and without.  

The is a big difference between

> ssh -l myname myserver.mydomain.com passwd

and

> ssh -l myname myserver.mydomain.com

and then entering passwd:

> ssh -l myname myserver.mydomain.com passwd

is using (encrypted) rexec-protocol which (most probably) does not create a tty

>  ssh -l myname myserver.mydomain.com

is using (encrypted) rlogin-protocol which creates a tty

So I'd use the following expect-Script:

set oldPassword ""
set newPassword ""
proc pReadPasswordFile { passFileName } {
        global oldPassword newPassword
        set fhandle [open $passFileName r]
        gets $fhandle oldPassword
        gets $fhandle newPassword
        close $fhandle
}
set servername [lindex $argv 0]
set username [lindex $argv 1]
pReadPasswordFile [lindex $argv 2]
spawn ssh -l $username $servername
except " "
send "passwd"
expect "login password:"
send "$oldPassword\r"
expect "Password:"
send "$newPassword\r"
expect "Password:"
send "$newPassword\r"
expect "successfully"
send "exit\r"
expect eof

0
 
neteducationCommented:
uups, typo....

not

except " "


but

expect ""

0
 
neteducationCommented:
and again a typo....

expect " "

(or you may but anything else that is expected as a prove that a connection was made)... I think I'm a little tired... going to bed...
0
 
jeffrAuthor Commented:
Thanks Neteducation.  I have things working well enough to continue development.  I'm sorry that it took so long to confirm.

Regards,
Jeff
0
 
ehoutCommented:
Hi,

Did you ever succeed?
I am facing the very same problem.
0
 
jeffrAuthor Commented:
Yes I did succeed but it was nearly five years ago.  What is the problem scenario that you face?  Maybe I can offer some advice.
0
 
ehoutCommented:
exactly the same as you describe above ;-)
solaris systems in the network and even a simpel command as
ssh user@host passwd receives an unexpected failure message. passwd on the host after logging in works like a charm so the function ís present. Also other commands like ls -l and so on work fine.
suppose: I run ssh user@host passwd ls -l /   nicely returns a listing of fles in the serverroot.

user is authenticated by a public/private keypair, so the credentials are OK.

systems are solaris 5.8 (though on others with AIX 5.3 I face some other things, but I haven't come to figuring out that part yet).

Tried things with expect, tried things with some other scripts, including the ove above in this tread, but it just does not seem to work.
0
 
neteducationCommented:
Well "passwd" is still not using stdin, so the solution with an expect stript would still be the way to go. However if you are talking about solaris 8, you may want to try to use a utility such as npasswd
 
http://www.utexas.edu/cc/unix/software/npasswd/

It was originially inteded to increasy quality of passwords, but it might also be that it is easier remote controllable though ssh.
0
 
jeffrAuthor Commented:
I know that my solution was successfully deployed with expect.  I don't have access to the servers or the code anymore because I have since left that job.  I'll see if I can find any old emails and post whatever I have to help.  

When you run expect are you executing it as an ssh command remotely or are you executing it locally and chatting with the remote server box?
0
 
ehoutCommented:
locally I guess. it's in the script I run on the server I am at, not on the host I wish to change
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 10
  • 8
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now