Shell/Perl scripts to automate periodic changing of Solaris/RHEL passwords

sunhux
sunhux used Ask the Experts™
Q1:
Without TCL/Expect script, can someone provide  a Shell/Perl script  or way to automate changing of a couple
of Solaris account passwords every 60 days?  This is for nagios (& a couple other) Solaris accounts which we
have to auto-expire but we can't afford to miss, else the expired password would cause service disruption.
Passwd, usermod or RHEL's chage can't read input from a file, thus I've not been able to find a Shell/Perl
script to do this.  However, we don't want to install TCL/Expect in our Solaris 10.

Q2:
if we use sed or awk to change the 'hashed' password field of /etc/shadow,  would Solaris (or even RHEL)
deem the password has been changed or UNIX will still deem it's not changed yet as we're editing the
shadow/passwd files directly instead of using commands like passwd/usermod/chage to change
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018
how bout using chpasswd?

man chpasswd  Gives it usage.

(You can feed it a list of username:password pairs  through STDIN).
And it can do multiple users in one run...

Author

Commented:
that command is built-in for Linux but Solaris x86 specifically,  will need hunting around if there's a binary port

Author

Commented:
There's a few sites mentioning chpasswd for Solaris but its binary package is
nowhere to be found
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

nociSoftware Engineer
Distinguished Expert 2018
The sources are here: https://github.com/shadow-maint/shadow
more specific: https://github.com/shadow-maint/shadow/blob/master/src/chpasswd.c

At least solaris is mentioned in the configure script.

Author

Commented:
Thanks for the source codes of chpasswd.c : is there any
binary for Solaris x86?   We are unfamiliar with compiling/make
Software Engineer
Distinguished Expert 2018
This might be helpful: http://www.wagemakers.be/downloads/cgipaf
in there is a Solaris 10 x86 version.

Author

Commented:
Thanks, the changepass_sol10_x86.tar.gz   is probably the required binary package.
Testing it out on Monday
Distinguished Expert 2017
Have not used solaris in a while
see if the following changes a test user's passwd
usermod -p 'newpassword' testusername

if so, you can use bash or perl script running under a cron that will randomly change the password for the designated user.

https://stackoverflow.com/questions/32484504/using-random-to-generate-a-random-string-in-bash
once you have the string...

Why not lock the shell to /bin/nologin /bin/true or /bin/false?
ANd if an admin needs to operate as the nagios user, the shell can be changed and then changed back.
nociSoftware Engineer
Distinguished Expert 2018
when using sudo to change a user theshell can be selected as well.

sudo -s -u nagios  should get you a shell with nagios uid irrespective of the shell setup in /etc/passwd

Author

Commented:
> Why not lock the shell to /bin/nologin /bin/true or /bin/false?
Certainly that did cross my mind but specifically what the Ernst Young audit
wants is still to periodically change the password;  concerned that if I set
the SHELL to nologin/false, nagios/oracle/... accounts may break

Author

Commented:
That binary package Noci gave works: I managed to remote in to test.
Next question my management asks: how to ascertain this binary is
clean: well, I use ClamAV & Trendmicro AV to scan it.

Or rather I should say it comes with source codes plus binary bundled,
 so trust the source codes & thus trust the binary
Distinguished Expert 2017
You have to trust the source from which you downloaded the package
Having source unless you go through it to .....

You could use truss -f
To run the command to see what it does in a test environment.
Run strings program
nociSoftware Engineer
Distinguished Expert 2018
If you need to trust the binary then yu need to build from source.!  AFTER vetting the source.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial