Solaris 10 bulk password setting via sed

We have a client that likes to generate their own /etc/shadow password hashes and have us assign them to a bulk list of their userids. This enables them to not have to pass along a plain-text password to us, their hosting provider. We’re in the process of transitioning this client to our LDAP configuration, but until we get them converted it’s each individual machine and I wasn’t thrilled about having to spend an entire day to vi the shadow file on more than 50 servers for 17 userids on each server.

Prior to Solaris 10 this was easy enough to do via a script given the limited characters for password generation. I needed to figure out a way to script it out for Solaris 10 with the inclusion of $ and / into the password hashes. I finally got it working via command line and then had to slightly modify the way it was done via script. The only funkiness I noticed was the literal interpretation of $ when read in from a variable, so please note that the line in the script containing the password must include “\” prior to every occurance of $.

For example, if your password salt is “$1$aQmSf/ZM$CBSTF10TXrvpOe..OaCtH/” then you’ll need to set your salt into the script’s variable thusly:

PASSWD=”\$1\$aQmSf/ZM\$CBSTF10TXrvpOe..OaCtH/”

I added a few idiot checks around the script since wiping out your /etc/shadow file is never a fun thing to explain to the boss. Feel free to tweak this if you can think of any other ways to streamline it or any additional idiot checks. Please also note that while this script does clean up after itself in the /root/scripts working directory, it will leave a time-stamped copy of /etc/shadow in /etc in case you run into any need to rollback your changes.

#!/usr/bin/bash

# Check for userid

if [[ $1 = “” ]]
then
echo ” Usage: pwchange.sh <userid>”
exit
else
sleep 0
fi

DATE=`date +%m%d%y%H%M%S`
USER=$1
OLDPW=`grep $USER /etc/shadow | cut -f 2 -d “:”`
USERCK=`grep $USER /etc/shadow | cut -f 2 -d “:” | wc -l`

# Check if userid exists in /etc/shadow.

if [[ $USERCK -lt 1 ]]
then
echo “No users matching $USER”
exit
else
sleep 0
fi

# Check if multiple userids exist. If there are, fail out.

if [[ $USERCK -gt 1 ]]
then
echo “Multiple users matching $USER”
exit
else
sleep 0
fi

PASSWD=”\$1\$aQmSf/ZM\$CBSTF10TXrvpOe..OaCtH/”

# Check if password has already been set to salt.

if [[ $OLDPW = $PASSWD ]]
then
echo “Password already matches for $USER”
exit
else
sleep 1
fi

echo “Setting password for $1”

/usr/bin/cp -rp /etc/shadow /etc/shadow.$DATE
/usr/bin/cp -rp /etc/shadow /root/scripts/shadow
/usr/bin/sed -e “/$USER/s|$OLDPW|$PASSWD|g” /root/scripts/shadow > /etc/shadow
/usr/bin/rm /root/scripts/shadow

Advertisements

3 Responses to “Solaris 10 bulk password setting via sed”

  1. Bill Says:

    Neat script, but it fails when either the password is empty or the account is locked (“*LK*” in the password field of /etc/shadow)

    The account will be locked when you create it.
    passwd -d or passwd -u on a newly-created account empty the password and the sed statement fails.

    The solution I found (because I dont have time right now to mess with sed) was to use this script would be to run “passwd -N” on the account before running this script to set the password.

    Thanks for posting your script!

  2. Eric Says:

    Thanks for posting this script. Regarding idiot proof checks – you might want to qualify all commands used, such as:

    date as /usr/bin/date
    grep as /usr/bin/grep
    cut as /usr/bin/cut
    echo …
    sleep …
    wc …

    Eric

  3. Fabio Says:

    C’è un comando analogo a questo : “echo $password | passwd –stdin root” per SOLARIS 10 x86 ?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: