Automate Password Change Process

Hello All,

I am working as a system engineer and planning to automate password change process on multiple servers(unix/windows ).


Here is the requirement...

- I have around 30 unix and 10 windows server.
- Each server has mulitple ids based on the service installed on it like webserver has apache id, application server has  weblogic id Etc...
- I would like to create one script and upon execution of this script, it should change password for all ids on all servers.


Can any one suggest me how to implement this.

Thanks
Deepak
deepakjena_2003Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NopiusCommented:
It's not a good idea to have separate passwd files and local users on 40 machines, it's time to move to some kind of domain (LDAP based), that will also be used from Unixes as an authentication source. So you will have a single point of changing passwords (at most 2 points, one for Unix and one for Windows hosts)

- Changing user password in Windows from command line described here:
http://www.windowsdevcenter.com/pub/a/windows/2004/03/30/serverhacks_passwords.html
- Changing user password on Linux may be done with 'passwd --stdin username'
- Accessing to remote boxes (either Linux or Windows) without providing passwords may be done with 'sshd' service with RSA authenication. There are Unix and Wondows versions.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
deepakjena_2003Author Commented:
Hello Nopius,


I don't need a central authentication process in place.

Each server has it's own local user.

In current scenario i usually connect to each server and change password manually as per our monthly schedule.

I need to automate password change procedure with the help of a custimize script.



You are correrct, i have to use RSA authentication first to connect to the server.

But how do i able to change pwd in each server from a script and send staus email....

Any help in building this type of script will be much appreciated.


Regards
Deepak
0
Duncan RoeSoftware DeveloperCommented:
Best way I know to automate this sort of task is to use expect (http://expect.nist.gov/). If you google for "expect Don Libes" you'll find heaps of articles about using it. It's ideal for situations where you have to wait for a prompt (like "Password: ") before entering data. You can make up a script to do all 40 locations - better keep its data files somewhere secure though :)
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

deepakjena_2003Author Commented:
Due to Security issues, i can't install "expect" on any unix/windows servers.
again, Keeping Datafiles is a secuirty issue.
0
NopiusCommented:
what kind of Unixes do you have?
In Linux, as I said, you may use stdin as a source of your password:
ssh -i id.key user@remotehost "echo new_password | passwd --stdin user"
0
Duncan RoeSoftware DeveloperCommented:
You don't need to install expect on any of your servers - only your personal workstation. You can use expect's "interact" command to make it so you always type in the passwords, while it does everything else for you. That's your goal isn't it?
0
Duncan RoeSoftware DeveloperCommented:
Hi again deepakjena_2003 ,
Did you have in mind to run a script on each server which would change passwords and email you about it? That is different from the expect solution - the script runs on your workstation only, connects to the servers (which can be any OS) and change the passwords. You said in an earlier post that you currently "connect to each server and change password manually" - well, expect can do that for you.
As for installing on your workstation, as long as you have gcc and make you should be fine - install in your home dir if you don't have root access (you may have to install Tcl first).
0
glassdCommented:
If your servers are completely stand alone, no common mounted filesystems, then put a script on each run by the root crontab which has access to a file containing a list of encrypted passwords. All files only readable by root. You keep a list of the real passwords. Each time cron runs it will use the first encryption for each account and change that in the shadow file. It then removes that line from your list of encryptions.

If you have a common mounted filesystem you can make this easier by placing your list of encryptions on the common filesystem. Make sure it can only be read by a trusted admin account and su to that account to get the encryptions when running your cron scripts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux OS Dev

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.