|
Home > Archive > Unix Shell > November 2006 > need script advice
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
need script advice
|
|
| vinayagar 2006-11-23, 7:33 am |
| hi world,
i'm system admin for unix , and new to sh. scripting world. but i have
some basic sh. script ideas.
kindly help me
i want to write shell script,
# scriptname.sh oldtext newtext
inside the script i need to excute `passwd` command
1, once passwd cmd is excuted, its asked for old UNIX password, here
i'm puting my variable of(oldtext)
2, then its asked for new Password, here i'm puting my variavle called
(newtext) and its ask for retype password for second time, so again i
called (newtext) variable.
for this i need to write script. i'm helding, can any one help me..
this is my script....
oldtext=$1
newtext=$2
echo `passwd`
?????????< no idea>
vinayag
| |
| Bruce Barnett 2006-11-23, 7:33 am |
| "vinayagar" <ravinayag@gmail.com> writes:
> inside the script i need to excute `passwd` command
> 1, once passwd cmd is excuted, its asked for old UNIX password, here
> i'm puting my variable of(oldtext)
> 2, then its asked for new Password, here i'm puting my variavle called
> (newtext) and its ask for retype password for second time, so again i
> called (newtext) variable.
The passwd program reads its input from a terminal, not a script.
So you need a way to pretend to be a terminal. Look into "expect"
Alternately, you can just edit the /etc/passwd (and /etc/shadow) file
directly.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
| |
| vinayagar 2006-11-23, 1:16 pm |
| i want to do with out root authentication.
once the script ready then i have to populate to users.
so editing /etc/passwd or shadow is not possible.
i have to use only passwd command for this.
vinayag
Bruce Barnett wrote:
> "vinayagar" <ravinayag@gmail.com> writes:
>
>
> The passwd program reads its input from a terminal, not a script.
> So you need a way to pretend to be a terminal. Look into "expect"
>
> Alternately, you can just edit the /etc/passwd (and /etc/shadow) file
> directly.
>
>
>
> --
> Sending unsolicited commercial e-mail to this account incurs a fee of
> $500 per message, and acknowledges the legality of this contract.
| |
| Kenny McCormack 2006-11-23, 1:16 pm |
| In article <1164293248.306911.246590@f16g2000cwb.googlegroups.com>,
vinayagar <ravinayag@gmail.com> wrote:
>i want to do with out root authentication.
Impressive!
>once the script ready then i have to populate to users.
>so editing /etc/passwd or shadow is not possible.
Wouldn't it be neat if you *could* add uses w/o being root?
>i have to use only passwd command for this.
Not likely to work.
| |
| vinayagar 2006-11-23, 1:16 pm |
| > Wouldn't it be neat if you *could* add uses w/o being root?
because its going to run by respective users so root authentication is
not required.
> Not likely to work.
in a script we have to this passwd command and placing the defined
values
it is possible.
vinayag
Kenny McCormack wrote:
> In article <1164293248.306911.246590@f16g2000cwb.googlegroups.com>,
> vinayagar <ravinayag@gmail.com> wrote:
>
> Impressive!
>
>
> Wouldn't it be neat if you *could* add uses w/o being root?
>
>
> Not likely to work.
| |
| PDreyer 2006-11-24, 7:24 am |
|
On Nov 23, 5:26 pm, "vinayagar" <ravina...@gmail.com> wrote:
--snip,snip --
> i want to write shell script,
> # scriptname.sh oldtext newtext
--snip,snip --
So what's wrong with the user executing the passwd command
[vbcol=seagreen]
> values
> it is possible.
>
Yes. Where does the defined values come from?
| |
| vinayagar 2006-11-24, 7:24 am |
| > So what's wrong with the user executing the passwd command
some time user wants to maintain current passwd as it time to expire,
last 5 passwds will maintain in paswd history,
so he need to do five times to retain current paswd.
so if i put in script, then i call the values...
PDreyer wrote:
> On Nov 23, 5:26 pm, "vinayagar" <ravina...@gmail.com> wrote:
> --snip,snip --
> --snip,snip --
>
> So what's wrong with the user executing the passwd command
>
>
> Yes. Where does the defined values come from?
| |
| PDreyer 2006-11-24, 7:24 am |
|
On Nov 24, 11:17 am, "vinayagar" <ravina...@gmail.com> wrote:[vbcol=seagreen]
> last 5 passwds will maintain in paswd history,
> so he need to do five times to retain current paswd.
>
> so if i put in script, then i call the values...
>
>
>
> PDreyer wrote:
>
>
>
How do you save the new password passed and how do you prevent the user
from editing the file
You can use "expect" as already suggested
Here are some code for you to play with
You can add some code in place of the 'sleep 2' command to check the
telnetout file for errors or wait for a command prompt etc.
[code]
#!/usr/bin/bash
uid=$1
oldpw=$2
newpw=$3
telnetcmd=/tmp/telnetcmd.tmp$$
telnetout=/tmp/telnetout.tmp$$
touch $telnetout
tail -f $telnetcmd | telnet | tee $telnetout &
echo "open localhost" >>$telnetcmd
sleep 2
echo "$uid" >>$telnetcmd
sleep 2
echo "$oldpw" >>$telnetcmd
sleep 2
echo "passwd $uid" >>$telnetcmd
sleep 2
echo "$oldpw" >>$telnetcmd
sleep 2
echo "$newpw" >>$telnetcmd
sleep 2
echo "$newpw" >>$telnetcmd
sleep 2
echo "exit" >>$telnetcmd
sleep 2
rm $telnetcmd $telnetout
[/code]
| |
| PDreyer 2006-11-24, 7:24 am |
|
On Nov 24, 11:58 am, "PDreyer" <petrus.dre...@gmail.com> wrote:
> On Nov 24, 11:17 am, "vinayagar" <ravina...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
>
> from editing the file
> You can use "expect" as already suggested
> Here are some code for you to play with
> You can add some code in place of the 'sleep 2' command to check the
> telnetout file for errors or wait for a command prompt etc.
> [code]
> #!/usr/bin/bash
> uid=$1
> oldpw=$2
> newpw=$3
> telnetcmd=/tmp/telnetcmd.tmp$$
> telnetout=/tmp/telnetout.tmp$$
> touch $telnetout
> tail -f $telnetcmd | telnet | tee $telnetout &
> echo "open localhost" >>$telnetcmd
> sleep 2
> echo "$uid" >>$telnetcmd
> sleep 2
> echo "$oldpw" >>$telnetcmd
> sleep 2
> echo "passwd $uid" >>$telnetcmd
> sleep 2
> echo "$oldpw" >>$telnetcmd
> sleep 2
> echo "$newpw" >>$telnetcmd
> sleep 2
> echo "$newpw" >>$telnetcmd
> sleep 2
> echo "exit" >>$telnetcmd
> sleep 2
> rm $telnetcmd $telnetout
> [/code]
Correction line 7:
touch $telnetout
should be
touch $telnetcmd
| |
| Brian Mac 2006-11-24, 7:24 am |
| hi,
not to sound rude, but why would you go through the effort of
developing a script ( sh / ksh / otherwise) when the passwd command by
default can do what you want? i am of the mindset that it is better to
use a tool that is already out there than inventing my own.
the passwd command by default can be run by any user - including
non-root ones. for non-root users it will prompt for their current
password then allow them to change to a new one. depending on the
flavor of unix you are running, there are many options you can specify
for your passwords (history, dictionary of known common words, etc).
please check your system's documentation.
you would not have to worry about using expect either - unless you want
to allow users to change passwords on remote systems. in that case the
expect utility is definitely something to look at.
hope this helps,
brian
vinayagar wrote:[vbcol=seagreen]
>
> because its going to run by respective users so root authentication is
> not required.
>
>
>
> in a script we have to this passwd command and placing the defined
> values
> it is possible.
>
> vinayag
>
>
>
> Kenny McCormack wrote:
| |
| Bruce Barnett 2006-11-24, 7:24 am |
| "vinayagar" <ravinayag@gmail.com> writes:
> i want to do with out root authentication.
You are the sysadmin. You can do it anyway you want to, including the
wrong way.
Having a command that does
script oldpassword newpassword
is the wrong way. The reason is that anyone can do a "ps" command and
learn what the new password is.
That is the reason why passwd(1) reads from a terminal, and not a file.
Use expect(1) or edit the /etc/passwd file youself.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
| |
| Bruce Barnett 2006-11-24, 7:24 am |
| "PDreyer" <petrus.dreyer@gmail.com> writes:
> #!/usr/bin/bash
> uid=$1
> oldpw=$2
> newpw=$3
And anyone who does a ps can see the password.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
| |
| Bruce Barnett 2006-11-24, 7:24 am |
| "vinayagar" <ravinayag@gmail.com> writes:
> some time user wants to maintain current passwd as it time to expire,
> last 5 passwds will maintain in paswd history,
> so he need to do five times to retain current paswd.
That sounds like a value in the /etc/shadow file.
You are better off manipulating this directly.
Just edit the appropriate entry in /etc/shadow without changing the
password.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
| |
| Kenny McCormack 2006-11-24, 7:24 am |
| In article <1164369976.777062.22760@l12g2000cwl.googlegroups.com>,
Brian Mac <mcnamarabrian@gmail.com> wrote:
>hi,
>
>not to sound rude, but why would you go through the effort of
>developing a script ( sh / ksh / otherwise) when the passwd command by
>default can do what you want? i am of the mindset that it is better to
>use a tool that is already out there than inventing my own.
The issue here is that he wants to build a tool that users can use to
get around the password history/aging requirements. The system he is
working on keeps a history of 5 passwords, so he would like a tool that
will change it 5 times then back to the original.
Having explained this, I know it will provoke moral outrage here - but I
sympathize. I don't like these kinds of silly requirements imposed by
systems that are designed to somehow "save" the idjits from themselves,
but in practice just annoy real users.
I also understand that many NG readers will say: This is insane, you
should get the system requirement changed. In real life, this is easier
said than done, and a lot of life (well, my life at any rate) is
involved in finding workarounds for this sort of nonsense.
P.S. The best workaround is just to append digits to your password.
I.e., suppose you want your password to be "Snoopy". Well, the first
time you are forced to change it, make it "Snoopy1", then "Snoopy2", etc.
| |
| Kenny McCormack 2006-11-24, 1:21 pm |
| In article <yekslg9rnkc.fsf@grymoire.com>,
Bruce Barnett <spamhater113+U061124081655@grymoire.com> wrote:
>"PDreyer" <petrus.dreyer@gmail.com> writes:
>
>
>
>And anyone who does a ps can see the password.
A theoretical concern, at best. First of all, the window in which this
can be done is quite small. But, of course, the point is that the lore
maintains the tale of the one time, that one guy, on some system, at
some point in the distant past, managed to do this.
Secondly, modern Linux systems have the ability to wire up the /proc
filesystem so that ordinary users can only see their own processes.
This is an entirely sensible thing to do on any system that involves
potentially hostile users, so if it (this capability) isn't present on
other systems, it is sensible to assume that it soon will be.
| |
| Bruce Barnett 2006-11-24, 1:21 pm |
| Bruce Barnett <spamhater113+U061124081518@grymoire.com> writes:
> You are the sysadmin. You can do it anyway you want to, including the
> wrong way.
>
> Having a command that does
>
> script oldpassword newpassword
>
> is the wrong way.
I apologize. I re-read your posting, and you want to use filenames
instead of directly specifying the password. That's okay.
Still - my suggestion is to use expect(1) or manipulate the values in
/etc/shadow. Modifying the parameters in /etc/shadow allows you to
turn off the requirements to change passwrds.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
| |
|
| Kenny McCormack wrote:
>
> The issue here is that he wants to build a tool that users can use to
> get around the password history/aging requirements. The system he is
> working on keeps a history of 5 passwords, so he would like a tool that
> will change it 5 times then back to the original.
And some system policies are configured to not allow changing the
password even twice during a configurable time span (usually at least
one day), so that won't work there.
> P.S. The best workaround is just to append digits to your password.
> I.e., suppose you want your password to be "Snoopy". Well, the first
> time you are forced to change it, make it "Snoopy1", then "Snoopy2", etc.
You can't imagine how many users use "Snoopy" as password[*], and the
numbering 1..5 is used with any system that requires using different
passwords. <sarcasm> Hey, that adds great to security, doesn't it?
</sarcasm>
Janis
[*] Found that out by decoding (or rather inspection of) some password
files in a project to fix that "encryption" process.
| |
| Kenny McCormack 2006-11-24, 1:22 pm |
| In article <1164380817.053871.47790@l12g2000cwl.googlegroups.com>,
Janis <janis_papanagnou@hotmail.com> wrote:
....
>You can't imagine how many users use "Snoopy" as password[*],
Interesting. I just picked that out of the sky as an example (really & truly).
>and the numbering 1..5 is used with any system that requires using
>different passwords.
What does this mean? (Is this an "English is not my first language"
problem?)
| |
| Bill Marcum 2006-11-24, 1:22 pm |
| On Fri, 24 Nov 2006 15:45:09 +0000 (UTC), Kenny McCormack
<gazelle@xmission.xmission.com> wrote:
> In article <1164380817.053871.47790@l12g2000cwl.googlegroups.com>,
> Janis <janis_papanagnou@hotmail.com> wrote:
> ...
>
> Interesting. I just picked that out of the sky as an example (really & truly).
>
>
> What does this mean? (Is this an "English is not my first language"
> problem?)
>
I think she means when people are forced to change passwords they often
just add a number to the old password.
--
Mystics always hope that science will some day overtake them.
-- Booth Tarkington
| |
| Kenny McCormack 2006-11-24, 1:22 pm |
| In article <jbij34-1og.ln1@don.localnet>,
Bill Marcum <bmarcum@iglou.com> wrote:
....
>I think she means when people are forced to change passwords they often
>just add a number to the old password.
OK. I didn't think anything untoward was being said, but you have to
admit that there are multiple ways to interpret those words.
BTW, I'm pretty sure that Janis is a he.
| |
| Michael Heiming 2006-11-24, 1:22 pm |
| In comp.unix.shell Janis <janis_papanagnou@hotmail.com>:
> Kenny McCormack wrote:
[vbcol=seagreen]
> And some system policies are configured to not allow changing the
> password even twice during a configurable time span (usually at least
> one day), so that won't work there.
Exactly there is quite often a default time that prohibits
changing the password to soon if users execute 'passwd' to make
something like this impossible.
IMHO the OP asked the wrong group, while one certainly can find
quite a few experts on shell programming here around, people
aren't that deep, if at all into system administration.
What I don't understand is why the OP doesn't change the default
password policy if it that annoying for his users, why create a
script at all?
Of course he didn't gave any information what unix he is running
at all? Perhaps presuming people would love to guess?
He perhaps could ask his boss to pay for some basic unix system
administration training or at least get some books, this should
help overcoming initial problems.
[..]
--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | PERL -pe 'y/a-z/n-za-m/'
#bofh excuse 228: That function is not currently supported, but
Bill Gates assures us it will be featured in the next upgrade.
| |
| vinayagar 2006-11-24, 7:19 pm |
| hi world,
first i thank you for all.
> Of course he didn't gave any information what unix he is running
> at all? Perhaps presuming people would love to guess?
OS : AIX 5.2
also serched with some others sites... finaly it has possible by expect
utility.
i need to plan & get aproval for to do this....
onceagain thanks, i gained information from this topic.
Michael Heiming wrote:
> In comp.unix.shell Janis <janis_papanagnou@hotmail.com>:
>
>
>
> Exactly there is quite often a default time that prohibits
> changing the password to soon if users execute 'passwd' to make
> something like this impossible.
>
> IMHO the OP asked the wrong group, while one certainly can find
> quite a few experts on shell programming here around, people
> aren't that deep, if at all into system administration.
>
> What I don't understand is why the OP doesn't change the default
> password policy if it that annoying for his users, why create a
> script at all?
>
> Of course he didn't gave any information what unix he is running
> at all? Perhaps presuming people would love to guess?
>
> He perhaps could ask his boss to pay for some basic unix system
> administration training or at least get some books, this should
> help overcoming initial problems.
>
> [..]
> --
> Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
> mail: echo zvpunry@urvzvat.qr | PERL -pe 'y/a-z/n-za-m/'
> #bofh excuse 228: That function is not currently supported, but
> Bill Gates assures us it will be featured in the next upgrade.
| |
| vinayagar 2006-11-25, 7:21 am |
| hi world, bruce,
Thanks onceagain.. without using expect the below scrpit is working
fine...on linux,
& i'm going to test for SSH.....
#!/usr/bin/bash
uid=`whoami` # $1
oldpw=$2
newpw=$3
telnetcmd=/tmp/telnetcmd.tmp$$
telnetout=/tmp/telnetout.tmp$$
touch $telnetcmd
tail -f $telnetcmd | telnet | tee $telnetout &
echo "open localhost" >>$telnetcmd
sleep 2
echo "$uid" >>$telnetcmd
sleep 2
echo "$oldpw" >>$telnetcmd
sleep 2
echo "passwd " >>$telnetcmd
sleep 2
echo "$oldpw" >>$telnetcmd
sleep 2
echo "$newpw" >>$telnetcmd
sleep 2
echo "$newpw" >>$telnetcmd
sleep 2
echo "exit" >>$telnetcmd
sleep 2
rm $telnetcmd $telnetout
Bruce Barnett wrote:
> Bruce Barnett <spamhater113+U061124081518@grymoire.com> writes:
>
>
>
> I apologize. I re-read your posting, and you want to use filenames
> instead of directly specifying the password. That's okay.
>
> Still - my suggestion is to use expect(1) or manipulate the values in
> /etc/shadow. Modifying the parameters in /etc/shadow allows you to
> turn off the requirements to change passwrds.
>
> --
> Sending unsolicited commercial e-mail to this account incurs a fee of
> $500 per message, and acknowledges the legality of this contract.
| |
| Michal Nazarewicz 2006-11-25, 7:21 am |
| "vinayagar" <ravinayag@gmail.com> writes:
> i want to write shell script,
>
> # scriptname.sh oldtext newtext
>
> inside the script i need to excute `passwd` command
> 1, once passwd cmd is excuted, its asked for old UNIX password, here
> i'm puting my variable of(oldtext)
> 2, then its asked for new Password, here i'm puting my variavle called
> (newtext) and its ask for retype password for second time, so again i
> called (newtext) variable.
You could try something like:
#v+
passwd username <<EOF
$oldpassword
$newpassword
$newpassword
EOF
I dunno though if it'll gonna work plus it's definitely not portable
plus it's very insecure to pass password in a command line argument
since anyone can do `ps` and read it.
--
Best regards, _ _
.o. | Liege of Serenly Enlightened Majesty of o' \,=./ `o
..o | Computer Science, Michal "mina86" Nazarewicz (o o)
ooo +--<mina86*tlen.pl>---<jid:mina86*chrome.pl>--ooO--(_)--Ooo--
|
|
|
|
|