• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1196
  • Last Modified:

Automate Password Change Process

Hello All,

I am working as a system engineer and planning to automate password change process on multiple servers(unix/windows ).


Here is the requirement...

- I have around 30 unix and 10 windows server.
- Each server has mulitple ids based on the service installed on it like webserver has apache id, application server has  weblogic id Etc...
- I would like to create one script and upon execution of this script, it should change password for all ids on all servers.


Can any one suggest me how to implement this.

Thanks
Deepak
0
deepakjena_2003
Asked:
deepakjena_2003
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
NopiusCommented:
It's not a good idea to have separate passwd files and local users on 40 machines, it's time to move to some kind of domain (LDAP based), that will also be used from Unixes as an authentication source. So you will have a single point of changing passwords (at most 2 points, one for Unix and one for Windows hosts)

- Changing user password in Windows from command line described here:
http://www.windowsdevcenter.com/pub/a/windows/2004/03/30/serverhacks_passwords.html
- Changing user password on Linux may be done with 'passwd --stdin username'
- Accessing to remote boxes (either Linux or Windows) without providing passwords may be done with 'sshd' service with RSA authenication. There are Unix and Wondows versions.

0
 
deepakjena_2003Author Commented:
Hello Nopius,


I don't need a central authentication process in place.

Each server has it's own local user.

In current scenario i usually connect to each server and change password manually as per our monthly schedule.

I need to automate password change procedure with the help of a custimize script.



You are correrct, i have to use RSA authentication first to connect to the server.

But how do i able to change pwd in each server from a script and send staus email....

Any help in building this type of script will be much appreciated.


Regards
Deepak
0
 
Duncan RoeSoftware DeveloperCommented:
Best way I know to automate this sort of task is to use expect (http://expect.nist.gov/). If you google for "expect Don Libes" you'll find heaps of articles about using it. It's ideal for situations where you have to wait for a prompt (like "Password: ") before entering data. You can make up a script to do all 40 locations - better keep its data files somewhere secure though :)
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
deepakjena_2003Author Commented:
Due to Security issues, i can't install "expect" on any unix/windows servers.
again, Keeping Datafiles is a secuirty issue.
0
 
NopiusCommented:
what kind of Unixes do you have?
In Linux, as I said, you may use stdin as a source of your password:
ssh -i id.key user@remotehost "echo new_password | passwd --stdin user"
0
 
Duncan RoeSoftware DeveloperCommented:
You don't need to install expect on any of your servers - only your personal workstation. You can use expect's "interact" command to make it so you always type in the passwords, while it does everything else for you. That's your goal isn't it?
0
 
Duncan RoeSoftware DeveloperCommented:
Hi again deepakjena_2003 ,
Did you have in mind to run a script on each server which would change passwords and email you about it? That is different from the expect solution - the script runs on your workstation only, connects to the servers (which can be any OS) and change the passwords. You said in an earlier post that you currently "connect to each server and change password manually" - well, expect can do that for you.
As for installing on your workstation, as long as you have gcc and make you should be fine - install in your home dir if you don't have root access (you may have to install Tcl first).
0
 
glassdCommented:
If your servers are completely stand alone, no common mounted filesystems, then put a script on each run by the root crontab which has access to a file containing a list of encrypted passwords. All files only readable by root. You keep a list of the real passwords. Each time cron runs it will use the first encryption for each account and change that in the shadow file. It then removes that line from your list of encryptions.

If you have a common mounted filesystem you can make this easier by placing your list of encryptions on the common filesystem. Make sure it can only be read by a trusted admin account and su to that account to get the encryptions when running your cron scripts.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now