solaris 10 password change using password files

Hi experts

I want to change solaris 10 passwords using a password file. I have searched the internet and could not find anything of much help.
jw124210Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

omarfaridCommented:
Please elaborate more on the requirements. What do you mean with "using a password file"? And how do you want to change it?
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Passwords stored in a (local) password file can be changed by root using:

# passwd <user>

and typing the password you want to set.
0
jw124210Author Commented:
I want to automate the password process. The passwords will be saved in a file, and the script will read this file without having to type in new password and confirm.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Gerwin Jansen, EE MVETopic Advisor Commented:
I've done similar things (remote shell, execute, supply passwords) using tclsh / expect. Do you have expect on your Solaris machine?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Solaris stores the password in the shadow file.

Make sure you have sanity checks to avoid locking yourself out. Include tests to make sure the partition where /etc is has not ran out of space. A zero byte shadow file is trouble.
Parsing the combination of passwd and shadow files.  The question you should keep in mind is at what point you will encrypted the password.  Had had such a setup where the distribution is done via NFS shares with cksum/md5sum as a means to validate data.
0
jw124210Author Commented:
I would like to avoid using expect on any implementation. This is for one of my clients and they are quite strict with regards to what goes into their IT environment.
0
omarfaridCommented:
I think without expect,it will not be possible to automate password changes since passwd command will not accept passwords via stdin.

You need to use expect to automate password changing from file.
0
arnoldCommented:
With great care rewrite/modifying shadow entries is what the asker wants.
Presumably, a centralized credential management (LDap) is not an option.
Centralized management would solve many things and with fewer risks.

I.e. You pass around a file
Username:encryptedpassword:uid::gid:comment:homedir:shell
........
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Distributing shadow entries is a possibility yes but then how to make the initial changes to the 'master' shadow file?
0
arnoldCommented:
The setup I had, dealt with only modifying user accounts.  A default shadow was the base.


A script either run by cron or triggered remotely must be copied/setup first.
The initial setup involves being on each system.
What can be changed and how certain changes can be made have to be worked out.

IMHO, Using LDAP to manage users is a step one should consider depending on the number of systems that are being managed, functions they provide.
Much faster deployment and scaling for .......
0
jw124210Author Commented:
Hi All

LDAP is not an option, I would prefer going the perl route, as Solaris 10 comes with perl by default.
0
arnoldCommented:
With perl you have two hashes one deals with /etc/passwd and the other /etc/shadow
Shadow
User:password
Passwd
User:lock when needed:uid:gid.......

Make sure to test /etc has enough space. Create a replacement shadow, and only when checks are done, replace the shadow, with new while maintaining permissions.
0
jw124210Author Commented:
Thank you Arnold - I know I had said I would not be looking at expect, but it seems like using a combination of perl and expect will do the trick.

Here is what I have done so far with expect:
I have an expect script running on my local Linux machine to change passwords, The password to be changed is running on a Solaris box. I am not sure if running an expect script locally will work on the remote server (Solaris), there is no expect installed on the remote solaris server. When I run the script it logs, but does not do anything. I tried creating a directory on the remote server but nothing is created. Am I doing something wrong here.

The expect script call a perl script running on the remote server.

Forgot to attach the expect script snippet:

username="myusername"
userpass="mypassword"
rootpass="myrootpassword"
cat server_list | while read host
do
expect -c "
set timeout 5
spawn ssh -tq ${username}@${host} su - root
expect "ssword:" { send \"${userpass}\r\" }
expect "ssword:" { send \"{rootpass}\r\" }
expect "#" { send \"mkdir /TTTTESTTTTTTTTT\r\" }
expect "#" { send \"exit\r\" }
expect eof"
done
0
arnoldCommented:
Do you have the option to use public key authentication?

As others pointed out, you should first collect the current passwd/shadow file data username, password, uid, etc. to synchronize them.

You could use expect as you have to then issue a passwd username
Wait for new password prompt.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.