How do I change multiple unix passwords in one script/batch file?

Question

I connect to 8 different unix servers from Windows, using connection type 'SSH' in putty. I use the same username/password for each server.

Currently when I need to change passwords (every 60 days), I need to open putty, select the session I want to connect to, type my current password (in the putty window that opens), type "passwd", enter my current password, and then enter my new password.

Then I exit and repeat the process 7 times.

How can I convert this to an automated process where I simply need to supply a script/batch process with my old and new password?

Answer 1

Great article! Just elaborating on step-3. Please note the commands to provide Proxy server information in case "teacup install Expect" fails due to connectivity issue:

%teacup install Expect
    Resolving Expect ... Not found in the archives.
    ...
    Aborting installation, was not able to locate the requested entity.
    child process exited abnormally
% teacup list teacup
    0 entities found
    Problems which occurred during the operation:
    * http://teapot.activestate.com :
    {connect failed connection refused} {can't read
    "state(sock)": no such element in array while executing
    "fileevent $state(sock) writable {}"} NONE
% teacup proxy "abcproxy.mycorp.com" 8080
    Proxying through abcproxy.mycorp.com @ 8080
% set http_proxy_user MyNetworkID
    MyNetworkID
% set http_proxy_pass MyNetworkPassword
    MyNetworkPassword
% teacup list teacup
    entity      name   version         platform
    ----------- ------ --------------- ----------
    application teacup 8.5.16.0.298388 win32-ix86
    ----------- ------ --------------- ----------
    1 entity found
% teacup install Expect
    Resolving Expect ... [package Expect 5.43.2 win32-ix86 @ http://teapot.activestate.com]
    Resolving Tcl 8.4 -is package ... [package Tcl 8.6.1 _ ... Installed outside repository, probing dependencies]
    Retrieving package Expect 5.43.2 win32-ix86 ...@ http://teapot.activestate.com ...
    Ok
    Installing into C:/app/Tcl/lib/teapot
    Installing package Expect 5.43.2 win32-ix86
 %

Answer 2

Here is how I automated the process:

1. Download and install ActiveTCL Community Edition (download the 32 bit version, even if you are on 64 bit windows, as the 64 bit version does not have "Expect" which is what you need to run the automated script)

2. Open the tclsh85 executable that was created by the install

3. Run this command "teacup install Expect" (note, this is case sensitive. You may need to setup special http settings if you receive an error and/or are on vpn or using a proxy)

4. Download Putty's "plink.exe" and either place it in the bin directory of ActiveTCL (default install directory is "C:\Tcl\bin") or alter your "Path" environment variable to include the path to this executable (wherever you downloaded plink.exe). This is the command-line version of Putty which your script will use.

5. Anywhere on your drive, create a text file named "servers.txt" with a list of the servers (one per line). They should all share the same password, as the script will login to all of them with the same password (that you supply), and change the password to the one you supply.

6. In the same directory as "servers.txt" create a new text file called "ChangePassword.tcl" (or whatever you want to call it, but be sure its file type is "tcl"). Right click the file and edit in notepad (or whatever text editor you prefer) and paste this script in it.

   package require Expect
   
   exp_log_user 0
   set exp::nt_debug 1
   
   proc changepw {host user oldpass newpass} {
          spawn plink $host
          log_user 0
          expect {
              "login as: " { }
          }
          exp_send "$user\r"
          expect "sword: "
          exp_send "$oldpass\r"
          expect "\$ "
          exp_send "passwd\r"
          expect "sword: "
        exp_send "$oldpass\r"
        expect "sword: "
        exp_send "$newpass\r"
        expect "sword: "
        exp_send "$newpass\r"
          set result $expect_out(buffer)
          exp_send "exit\r"
          return $result
   }
   
   label .userlbl -text "Username:"
   label .oldpasslbl -text "\nOld Password: "
   label .newpasslbl -text "\nNew Password: "
   
   set username "username"
   entry .username -textvariable username
   set oldpassword "oldpassword"
   entry .oldpassword -textvariable oldpassword
   set newpassword "newpassword"
   entry .newpassword -textvariable newpassword
   
   button .button1 -text "Change Password" -command {
     set fp [open "servers.txt" r]
     set file_data [read $fp]
     close $fp
     set data [split $file_data "\n"]
     foreach line $data {
         .text1 insert end "Changing password for: $line\n"
       set output [changepw $line $username $oldpassword $newpassword]
       .text1 insert end "$output\n\n"
     }
   }
   
   text .text1 -width 50 -height 30 
   pack .userlbl .username .oldpasslbl .oldpassword .newpasslbl .newpassword .button1 .text1
   

7. Save the script and then launch the ChangePassword.tcl file.

Here is a picture of what it looks like when you open the ChangePassword.tcl file:

The rest should be self explanatory. Note the program does not output when your password change was successful but it will tell you when it fails. Also note, this was my first tcl script (and first time using Expect) so the script is by no means "optimized" and could probably be improved but it gets the job done. Feel free to edit, or make suggestions/improvements.

Answer 3

Sounds like you want Expect, an extension of TCL that can mimic typing at a keyboard for a console application. See the examples for how to do this.

Now there is something you've written that worries me:

I connect to 8 different unix servers, using connection type 'SSH' in putty. I use the same username/password for each server.

Why aren't you using SSH keys for automating the logon?