On May 2, 11:51 pm, ag4ve...@gmail.com (shawn wilson) wrote:
> On May 2, 2011 2:14 PM, "Kenneth Wolcott" <kennethwolc...@gmail.com> wrote:
>
>
>
> > It looks like you have a great working system for annually forcing
> > the change of UNIX passwords in a systematic manner, but it would
> > definitely not be good to emulate your system in the general case
> > because very few people on this list (I'm betting here) are in such a
> > situation, as you have described in your answer to Shawn. Your
> > script(s) work almost flawlessly without the controls normally very
> > necessary because you have externally controlled the conditions so
> > thoroughly. Therefore your solution is definitely not one that can be
> > emulated generally.
>
> This is almost certainly ot here but there are very popular solutions for
> doing this that are most certainly more fault tolerant and secure. I submit
> ldap, nis, and ypbind (in order of preference).
>
> Jim might be working with systems that are normally kept offline (metal
> detectors and chemical monitoring come to mind) where this might not be a
> viable solution. Or there are political reasons (probably both). However for
> most, this is (badly) reinventing the wheel.
>
> Actually, if anyone thinks of implementing security on their own, they will
> probably fail BADLY. I can think of two examples off hand and probably find
> at least a dozen more public examples where this has happened. So, if you
> are dealing with access control (passwords apply here), databases, web
> design, and physical access, think very long (and I do mean long) if you are
> considering not using a prebuilt api.
Expect is the best language for this. We use it for the same purpose
(bulk user password change). The script would
1. login as normal user to the system using SSH ( from some
controlling or centralized system).
2. su as root user by providing root pass
3. change password of particular user ( or get back with any result).
Since all the arguments,
user to login
password for login user
root password
user to change password
password to change
are passed as arguments, its not stored any where.
Hope this helps. find the script below
# This script is to change a AIX System user pasword, through
telnet login.
#
# Usage:
# <login_user> - user id to login for passwd change
(root)
# <login_pass> - login user password
# <userid> - userid for which password to be
changed
# <newpasswd> - New password for userid <userid>
# <rootpasswd> - Root password for su -
#
# Assumptions:
# * telnet client progam available at /bin/telnet in local system
# * Telnet is enabled in the AIX Server <---- CHANGE THIS TO SSH
# * normal user is used to login to the server
# * shell prompts always derives to "# " or "$ " format.
# * Other errors are throwed appropriately.
if { $argc != 6 } {
send_user " <login_pass> - login user password\n" ;
exit 1;
}
set serverip [lindex $argv 0]
set ruser [lindex $argv 1]
set rpass [lindex $argv 2]
set userid [lindex $argv 3]
set newpasswd [lindex $argv 4]
set root_password [lindex $argv 5]
set shell_prompt ".*(#|\\$) *"
set login_prompt "(.*login: )"
set passwd_prompt "Password: "
set invld_login "invalid login.*"
set su_prompt "root's Password: "
#send_user "$serverip $ruser $rpass $userid $newpasswd\n" ;
exp_internal 0
set timeout 5
set retcode 0
send "$ruser\r" ;
expect {
$passwd_prompt {
}
expect {
-re $invld_login {
send_user "Wrong login user ($ruser) password. Exiting
\n" ;
}
-re $shell_prompt {
send_user "Logged in successfully\n"
# Start Task to do in the AIX Server
send "su - \r" ;
expect {
-re $su_prompt {
send "$root_password\r" ;
expect {
-re ".* denied" {
}
}
}
expect {
}
expect {
-nocase -re "New password: " {
send "$newpasswd\r"
expect -nocase -re "new password again: *" {
send "$newpasswd\r"
expect -re $shell_prompt {
send_user "Password for user
$userid successfully changed\n" ;
send "exit\r"
set retcode 0 ;
}
}
}
-nocase -re "does not exist" {
send_user "User $userid not exist in system
\n";
set retcode 1
exit $retcode
}
timeout { send_user "Error Occured while changing
password\n" ; set retcode 1 }
eof { send_user "Error Occured while changing
password\n" ; set retcode 1 }
}
# End Task
}
eof { send_user "Shell prompt not appeared\n"; set retcode
2 }
timeout { send_user "Timeout happened while waiting for Prompt
\n" ; set retcode 3 }
}
}
timeout { send_user "Connection to $serverip failed. Login
Prompt not appeared\n" ; set retcode 1 }
eof { send_user "Connection to $serverip failed. Login
Prompt not appeared\n" ; set retcode 1 }
}
#send_user "\nExiting at last with Retcode: $retcode\n";
exit $retcode
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
