sunhux
asked on
Shell/Perl scripts to automate periodic changing of Solaris/RHEL passwords
Q1:
Without TCL/Expect script, can someone provide a Shell/Perl script or way to automate changing of a couple
of Solaris account passwords every 60 days? This is for nagios (& a couple other) Solaris accounts which we
have to auto-expire but we can't afford to miss, else the expired password would cause service disruption.
Passwd, usermod or RHEL's chage can't read input from a file, thus I've not been able to find a Shell/Perl
script to do this. However, we don't want to install TCL/Expect in our Solaris 10.
Q2:
if we use sed or awk to change the 'hashed' password field of /etc/shadow, would Solaris (or even RHEL)
deem the password has been changed or UNIX will still deem it's not changed yet as we're editing the
shadow/passwd files directly instead of using commands like passwd/usermod/chage to change
Without TCL/Expect script, can someone provide a Shell/Perl script or way to automate changing of a couple
of Solaris account passwords every 60 days? This is for nagios (& a couple other) Solaris accounts which we
have to auto-expire but we can't afford to miss, else the expired password would cause service disruption.
Passwd, usermod or RHEL's chage can't read input from a file, thus I've not been able to find a Shell/Perl
script to do this. However, we don't want to install TCL/Expect in our Solaris 10.
Q2:
if we use sed or awk to change the 'hashed' password field of /etc/shadow, would Solaris (or even RHEL)
deem the password has been changed or UNIX will still deem it's not changed yet as we're editing the
shadow/passwd files directly instead of using commands like passwd/usermod/chage to change
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There's a few sites mentioning chpasswd for Solaris but its binary package is
nowhere to be found
nowhere to be found
The sources are here: https://github.com/shadow-maint/shadow
more specific: https://github.com/shadow-maint/shadow/blob/master/src/chpasswd.c
At least solaris is mentioned in the configure script.
more specific: https://github.com/shadow-maint/shadow/blob/master/src/chpasswd.c
At least solaris is mentioned in the configure script.
ASKER
Thanks for the source codes of chpasswd.c : is there any
binary for Solaris x86? We are unfamiliar with compiling/make
binary for Solaris x86? We are unfamiliar with compiling/make
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, the changepass_sol10_x86.tar.g z is probably the required binary package.
Testing it out on Monday
Testing it out on Monday
Have not used solaris in a while
see if the following changes a test user's passwd
usermod -p 'newpassword' testusername
if so, you can use bash or perl script running under a cron that will randomly change the password for the designated user.
https://stackoverflow.com/questions/32484504/using-random-to-generate-a-random-string-in-bash
once you have the string...
Why not lock the shell to /bin/nologin /bin/true or /bin/false?
ANd if an admin needs to operate as the nagios user, the shell can be changed and then changed back.
see if the following changes a test user's passwd
usermod -p 'newpassword' testusername
if so, you can use bash or perl script running under a cron that will randomly change the password for the designated user.
https://stackoverflow.com/questions/32484504/using-random-to-generate-a-random-string-in-bash
once you have the string...
Why not lock the shell to /bin/nologin /bin/true or /bin/false?
ANd if an admin needs to operate as the nagios user, the shell can be changed and then changed back.
when using sudo to change a user theshell can be selected as well.
sudo -s -u nagios should get you a shell with nagios uid irrespective of the shell setup in /etc/passwd
sudo -s -u nagios should get you a shell with nagios uid irrespective of the shell setup in /etc/passwd
ASKER
> Why not lock the shell to /bin/nologin /bin/true or /bin/false?
Certainly that did cross my mind but specifically what the Ernst Young audit
wants is still to periodically change the password; concerned that if I set
the SHELL to nologin/false, nagios/oracle/... accounts may break
Certainly that did cross my mind but specifically what the Ernst Young audit
wants is still to periodically change the password; concerned that if I set
the SHELL to nologin/false, nagios/oracle/... accounts may break
ASKER
That binary package Noci gave works: I managed to remote in to test.
Next question my management asks: how to ascertain this binary is
clean: well, I use ClamAV & Trendmicro AV to scan it.
Or rather I should say it comes with source codes plus binary bundled,
so trust the source codes & thus trust the binary
Next question my management asks: how to ascertain this binary is
clean: well, I use ClamAV & Trendmicro AV to scan it.
Or rather I should say it comes with source codes plus binary bundled,
so trust the source codes & thus trust the binary
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you need to trust the binary then yu need to build from source.! AFTER vetting the source.
ASKER