Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Shell/Perl scripts to automate periodic changing of Solaris/RHEL passwords

Q1:
Without TCL/Expect script, can someone provide  a Shell/Perl script  or way to automate changing of a couple
of Solaris account passwords every 60 days?  This is for nagios (& a couple other) Solaris accounts which we
have to auto-expire but we can't afford to miss, else the expired password would cause service disruption.
Passwd, usermod or RHEL's chage can't read input from a file, thus I've not been able to find a Shell/Perl
script to do this.  However, we don't want to install TCL/Expect in our Solaris 10.

Q2:
if we use sed or awk to change the 'hashed' password field of /etc/shadow,  would Solaris (or even RHEL)
deem the password has been changed or UNIX will still deem it's not changed yet as we're editing the
shadow/passwd files directly instead of using commands like passwd/usermod/chage to change
SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux
sunhux

ASKER

that command is built-in for Linux but Solaris x86 specifically,  will need hunting around if there's a binary port
Avatar of sunhux

ASKER

There's a few sites mentioning chpasswd for Solaris but its binary package is
nowhere to be found
The sources are here: https://github.com/shadow-maint/shadow
more specific: https://github.com/shadow-maint/shadow/blob/master/src/chpasswd.c

At least solaris is mentioned in the configure script.
Avatar of sunhux

ASKER

Thanks for the source codes of chpasswd.c : is there any
binary for Solaris x86?   We are unfamiliar with compiling/make
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

Thanks, the changepass_sol10_x86.tar.gz   is probably the required binary package.
Testing it out on Monday
Have not used solaris in a while
see if the following changes a test user's passwd
usermod -p 'newpassword' testusername

if so, you can use bash or perl script running under a cron that will randomly change the password for the designated user.

https://stackoverflow.com/questions/32484504/using-random-to-generate-a-random-string-in-bash
once you have the string...

Why not lock the shell to /bin/nologin /bin/true or /bin/false?
ANd if an admin needs to operate as the nagios user, the shell can be changed and then changed back.
when using sudo to change a user theshell can be selected as well.

sudo -s -u nagios  should get you a shell with nagios uid irrespective of the shell setup in /etc/passwd
Avatar of sunhux

ASKER

> Why not lock the shell to /bin/nologin /bin/true or /bin/false?
Certainly that did cross my mind but specifically what the Ernst Young audit
wants is still to periodically change the password;  concerned that if I set
the SHELL to nologin/false, nagios/oracle/... accounts may break
Avatar of sunhux

ASKER

That binary package Noci gave works: I managed to remote in to test.
Next question my management asks: how to ascertain this binary is
clean: well, I use ClamAV & Trendmicro AV to scan it.

Or rather I should say it comes with source codes plus binary bundled,
 so trust the source codes & thus trust the binary
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you need to trust the binary then yu need to build from source.!  AFTER vetting the source.