Ottawa Valley SAGE

Providing a forum since 1998

Jul 4, 2009 - 3 minute read - Comments

Mass password changes...

Every now and then you have to do one of those fun tasks like change the passwords on everything at a site or data center or whatever. Bloody frustrating is what it is when you have to do this for a couple of hundred unix boxes AND you have to use different passwords depending on what the box is classified as.

Back in the day (early 1990’s), Don Libes had put together a tcl tool kit called expect, which could automate all manner of things. I have used it over the years and always liked it. Included in the kit are sample scripts, one of which is called passmass - specifically designed to do the kind of task I described above. Problem solved.

Not!

In the 18 or so years since Don wrote the version of passmass that is out there, we have made some changes to the way we log in. The tool does support ssh (also called slogin), so that is not the issue. The problem comes when you have ssh authorized_keys set up. The login prompt goes away and the script fails, as the expected password prompt is missing.

Hack time! Carving out the bits that make the script fail is not difficult, and you can make a few assumptions in a controlled environment about how this will be used - especially in an NIS based environment (don’t ask). All you really need to manage is handling the case where you have to add the key to your known_hosts file and after that, it’s just run the passwd command on the target box after logging in. Yes, you in the back? No, we don’t use NIS for the root account. Think about it.

Anyway, after some modifications, and adding the case for a netapp (when you run the passwd command, it asks for which login you want to change the password), it handles solaris, linux and dataontap very well.

How do you handle the various passwords? You write a wrapper script that calls the tool multiple times with the list of machines that each password is going to be used on. It even blanks it on the command line, and since it’s ssh based, no clear text password running on the network.

A quick test on just the desktop unix boxes shows that it can change the passwords on 50 machines in less than 30 seconds, so other than the time to input the various classes of password, it is very fast. I suspect that it will take approximately 2 minutes to change everything when I run it on Monday.

Why Monday? Easy!

Never, never make changes late on a Friday afternoon! Unless you like working on the weekend.