# BL_change_passwd is a network-enabled wrapper for modifying # local passwords on all BL supported operating system.

# # When run without arguments, BLpasswd will display # its usage information. # # Usage: bl_change_password.nsh username password # # # # NOTE for SOLARIS systems: For Solaris systems, we need to have # a system with Perl installed. We need perl to create a Crypt # has of the user's password. If all of your systems don't have # Perl installed, change the $SOLARIS_PASS_GEN_MACHINE variable # below to a Bladelogic enabled system with Perl installed. # Example: # SOLARIS_PASS_GEN_MACHINE="perl-host1.bladelogic.com" HOST_NAME=`nexec -e hostname` SOLARIS_PASS_GEN_MACHINE="$HOST_NAME" # Get arguments from the command line. As you can see, # the username and password have to be in the right order. COMMAND_NAME=$0 USER_NAME=$argv[1] USER_PASSWORD=$argv[2] # Checking to see if we are running in the right environment # Make sure you can execute "nexec -e" command from here. NSH_EXEC_OK=`pwd|egrep "^//"` if [[ -z $NSH_EXEC_OK ]] ; then print "This command is meant to be executed via the runscript command. check documents." exit 1 fi # We need to get the system's OS type for later. SYSTEM_OS=`nexec -e uname -s` if [[ -z $SYSTEM_OS ]] ; then print "Unable to get system\'s OS type.\n" exit 1 fi # We need to get the system's hostname for creating usable # error messages. HOST_NAME=`nexec -e hostname` if [[ -z $HOST_NAME ]] ; then print "Unable to get system\'s hostname.\n" exit 1 fi # Print usage information. Always need to have a print usage # subfunction or we won't be able to function! sub print_usage() { print "Usage: $COMMAND_NAME username password" exit 1 }

Please

# This is where we generate a random salt for both Solaris # and HP-UX password changes. A salt keeps encrypted passwords # passwords from looking the same if two users decide to use the # same password. It's an awk call, so you should be able to # execute this bit of code on any machine and use it anywhere. sub gen_salt () { # Source initial salt for crypt SALT=` awk ' BEGIN { SALTS="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./" srand() printf("%s%s", substr(SALTS,1 + int(rand() * 64),1), substr(SALTS,1 + int(rand() * 64),1)) } '` } # Change windows password using the "net user" command. # Window's somewhat simplified authentication system makes # things much easier for us here. sub windows_pw_change () { print "Executing: nexec -e net user $USER_NAME *********\n" nexec -e "net user $USER_NAME $USER_PASSWORD" } # Change linux password using passwd using chpasswd. Linux has # the chpasswd command that allows us to change a user's password # as root without interactivity. Very nice. sub linux_pw_change () { if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e /sbin/pam_tally2 --user $USER_NAME --reset nexec -e /sbin/pam_tally2 --user $USER_NAME --reset nexec -e /sbin/pam_tally2 --user $USER_NAME nexec -e "echo $USER_NAME:$USER_PASSWORD | /usr/sbin/chpasswd" } # Change Solaris password. This one's a bit more complicated. # Since there isn't a way of modifying the password non-interactively, # we need to modify the shadow file manually. sub solaris_pw_change() { umask 377 # We need to figure out where to keep a copy of the shadow file # while we play with it. This keeps us from corrupting the file # in case this script fails or exits at just the wrong time. TMP_SHADOW_FILE="/tmp/shadow.tmp" # We generate a salt. gen_salt # # # # We create a short perl script to execute on the Perl host to generate our password Crypt hash. We can't do this on the Application server since the crypt() system call is implemented a little differently on every operating system. They just aren't compatible.

echo "\$encrypted_pass = crypt (\"$USER_PASSWORD\", \"$SALT\") ; chomp \ $encrypted_pass ; print \$encrypted_pass ;" > // $SOLARIS_PASS_GEN_MACHINE/tmp/gen_pass.pl.$HOST_NAME # We generate the crypt hash of the password... SOLARIS_ENCRYPTED_PASSWD=`nexec $SOLARIS_PASS_GEN_MACHINE perl /tmp/gen_pass.pl.$HOST_NAME` if [[ -z $SOLARIS_ENCRYPTED_PASSWD ]] ; then print "Unable to get encrypted password from $SOLARIS_PASS_GEN_MACHINE." exit 1 fi # A little housekeeping rm -rf $SOLARIS_PASS_GEN_MACHINE/tmp/gen_pass.pl.$HOST_NAME # We need to get a timestamp for the backup shadow file. Even the "date" # command differs from OS to OS. CURRENT_DATE=`nexec -e date '+%m%d%y%H%M%S'` if [[ $? != 0 ]] ; then print "Unable to get current time on $HOST_NAME\n" exit 1 fi # We keep a copy of the shadow file in the /etc directory as shadow.MonthDayYearHourMinuteSecond. # You should do a bit of housekeeping occasionally to delete these files. nexec -e cp /etc/shadow /etc/shadow.$CURRENT_DATE if [[ $? != 0 ]] ; then print "Unable to make backup copy shadow file to /etc/shadow.$CURRENT_DATE\n" exit 1 fi # # # # Replace the user's password with the new. Again, we use "sed" for your convenience. We read out the shadow file, replace the password entry with the new crypt hash, and dump it into the temporary shadow file we defined earlier.

if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e "cat /etc/shadow | sed -e 's/^\($USER_NAME\):.*:\ (.*:.*:.*:.*:\)/\1:$SOLARIS_ENCRYPTED_PASSWD:\2/'" > $TMP_SHADOW_FILE if [[ $? != 0 ]] ; then print "Unable to dump modified shadow file into temporary file $TMP_SHADOW_FILE\n" exit 1 fi # Change the permissions of the temporary file to 0400 just in case. # We use symbolic entries for our chmod command. Remember, it's better # than using those darned numbers. It's harder to make a mistake this way. # Try to break yourself of the habit of using numbers. nexec -e "chmod u=r,go= $TMP_SHADOW_FILE" if [[ $? != 0 ]] ; then print "Unable to set permissions of modified shadow file $TMP_SHADOW_FILE\n"

exit 1 fi # Copy over the temporary shadow file with the modified password to # /etc/shadow. nexec -e "cp $TMP_SHADOW_FILE /etc/shadow" if [[ $? != 0 ]] ; then print "Unable to copy temporary shadow file $TMP_SHADOW_FILE to /etc/shadow\n" exit 1 fi # Delete the temporary shadow file. Just for housekeeping and security...at # least for the ultra paranoid. nexec -e "rm -f $TMP_SHADOW_FILE" if [[ $? != 0 ]] ; then print "Unable to delete temporary shadow file $TMP_SHADOW_FILE.\n" exit 1 fi } # # # # # # # # Change AIX password. Chkpasswd is a batch password changing utility that comes with AIX. We could just pipe in the new password from the command line, but creating a user:passwd file just seems right. We don't want to open up the unencrypted password to just anyone, so we are creating a crypt hash first and entering that into the file. Just remember, the temporary user:password file will be overwritten every time this is run. The script will also attempt to delete the temporary file after completion.

sub aix_pw_change () { if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s "$USER_NAME" nexec -e "echo $USER_NAME:$USER_PASSWORD | /usr/bin/chpasswd -f NOCHECK " if [[ $? != 0 ]]; then print "Wasn\'t able to change user $USER_NAME\'s password on system $HOST_NAME. OS type: $SYSTEM_OS." exit 1 fi } # Ensure that we've received the proper number of arguments if [[ $#argv != 2 ]]; then print_usage fi # Execute password change subfunction depending on operating # system. All supported operating systems are listed. if [[ $SYSTEM_OS = "WindowsNT" ]] ; then #windows_pw_change print "This script does not work with Windows machines.\n" print_usage elif [[ $SYSTEM_OS = "Linux" ]] ; then

linux_pw_change elif [[ $SYSTEM_OS = "SunOS" ]] ; then solaris_pw_change elif [[ $SYSTEM_OS = "AIX" ]] ; then aix_pw_change else print "Strange. I don\'t know anything about this operating system called \" $SYSTEM_OS.\" Use something else.\n" ; exit 1 fi # Usage: bl_change_password.nsh username password # # # # NOTE for SOLARIS systems: For Solaris systems, we need to have # a system with Perl installed. We need perl to create a Crypt # has of the user's password. If all of your systems don't have # Perl installed, change the $SOLARIS_PASS_GEN_MACHINE variable # below to a Bladelogic enabled system with Perl installed. # Example: # SOLARIS_PASS_GEN_MACHINE="perl-host1.bladelogic.com" HOST_NAME=`nexec -e hostname` SOLARIS_PASS_GEN_MACHINE="$HOST_NAME" # Get arguments from the command line. As you can see, # the username and password have to be in the right order. COMMAND_NAME=$0 USER_NAME=$argv[1] USER_PASSWORD=$argv[2] # Checking to see if we are running in the right environment # Make sure you can execute "nexec -e" command from here. NSH_EXEC_OK=`pwd|egrep "^//"` if [[ -z $NSH_EXEC_OK ]] ; then print "This command is meant to be executed via the runscript command. check documents." exit 1 fi # We need to get the system's OS type for later. SYSTEM_OS=`nexec -e uname -s` if [[ -z $SYSTEM_OS ]] ; then print "Unable to get system\'s OS type.\n" exit 1 fi # We need to get the system's hostname for creating usable # error messages. HOST_NAME=`nexec -e hostname` if [[ -z $HOST_NAME ]] ; then print "Unable to get system\'s hostname.\n" exit 1 fi # Print usage information. Always need to have a print usage

Please

# subfunction or we won't be able to function! sub print_usage() { print "Usage: $COMMAND_NAME username password" exit 1 } # This is where we generate a random salt for both Solaris # and HP-UX password changes. A salt keeps encrypted passwords # passwords from looking the same if two users decide to use the # same password. It's an awk call, so you should be able to # execute this bit of code on any machine and use it anywhere. sub gen_salt () { # Source initial salt for crypt SALT=` awk ' BEGIN { SALTS="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./" srand() printf("%s%s", substr(SALTS,1 + int(rand() * 64),1), substr(SALTS,1 + int(rand() * 64),1)) } '` } # Change windows password using the "net user" command. # Window's somewhat simplified authentication system makes # things much easier for us here. sub windows_pw_change () { print "Executing: nexec -e net user $USER_NAME *********\n" nexec -e "net user $USER_NAME $USER_PASSWORD" } # Change linux password using passwd using chpasswd. Linux has # the chpasswd command that allows us to change a user's password # as root without interactivity. Very nice. sub linux_pw_change () { if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e /sbin/pam_tally2 --user $USER_NAME --reset nexec -e /sbin/pam_tally2 --user $USER_NAME --reset nexec -e /sbin/pam_tally2 --user $USER_NAME nexec -e "echo $USER_NAME:$USER_PASSWORD | /usr/sbin/chpasswd" } # Change Solaris password. This one's a bit more complicated. # Since there isn't a way of modifying the password non-interactively, # we need to modify the shadow file manually. sub solaris_pw_change() { umask 377 # We need to figure out where to keep a copy of the shadow file # while we play with it. This keeps us from corrupting the file # in case this script fails or exits at just the wrong time. TMP_SHADOW_FILE="/tmp/shadow.tmp" # We generate a salt.

gen_salt # We create a short perl script to execute on the Perl host to generate # our password Crypt hash. We can't do this on the Application server # since the crypt() system call is implemented a little differently # on every operating system. They just aren't compatible. echo "\$encrypted_pass = crypt (\"$USER_PASSWORD\", \"$SALT\") ; chomp \ $encrypted_pass ; print \$encrypted_pass ;" > // $SOLARIS_PASS_GEN_MACHINE/tmp/gen_pass.pl.$HOST_NAME # We generate the crypt hash of the password... SOLARIS_ENCRYPTED_PASSWD=`nexec $SOLARIS_PASS_GEN_MACHINE perl /tmp/gen_pass.pl.$HOST_NAME` if [[ -z $SOLARIS_ENCRYPTED_PASSWD ]] ; then print "Unable to get encrypted password from $SOLARIS_PASS_GEN_MACHINE." exit 1 fi # A little housekeeping rm -rf $SOLARIS_PASS_GEN_MACHINE/tmp/gen_pass.pl.$HOST_NAME # We need to get a timestamp for the backup shadow file. Even the "date" # command differs from OS to OS. CURRENT_DATE=`nexec -e date '+%m%d%y%H%M%S'` if [[ $? != 0 ]] ; then print "Unable to get current time on $HOST_NAME\n" exit 1 fi # We keep a copy of the shadow file in the /etc directory as shadow.MonthDayYearHourMinuteSecond. # You should do a bit of housekeeping occasionally to delete these files. nexec -e cp /etc/shadow /etc/shadow.$CURRENT_DATE if [[ $? != 0 ]] ; then print "Unable to make backup copy shadow file to /etc/shadow.$CURRENT_DATE\n" exit 1 fi # # # # Replace the user's password with the new. Again, we use "sed" for your convenience. We read out the shadow file, replace the password entry with the new crypt hash, and dump it into the temporary shadow file we defined earlier.

if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e "cat /etc/shadow | sed -e 's/^\($USER_NAME\):.*:\ (.*:.*:.*:.*:\)/\1:$SOLARIS_ENCRYPTED_PASSWD:\2/'" > $TMP_SHADOW_FILE if [[ $? != 0 ]] ; then print "Unable to dump modified shadow file into temporary file $TMP_SHADOW_FILE\n" exit 1 fi # Change the permissions of the temporary file to 0400 just in case.

# We use symbolic entries for our chmod command. Remember, it's better # than using those darned numbers. It's harder to make a mistake this way. # Try to break yourself of the habit of using numbers. nexec -e "chmod u=r,go= $TMP_SHADOW_FILE" if [[ $? != 0 ]] ; then print "Unable to set permissions of modified shadow file $TMP_SHADOW_FILE\n" exit 1 fi # Copy over the temporary shadow file with the modified password to # /etc/shadow. nexec -e "cp $TMP_SHADOW_FILE /etc/shadow" if [[ $? != 0 ]] ; then print "Unable to copy temporary shadow file $TMP_SHADOW_FILE to /etc/shadow\n" exit 1 fi # Delete the temporary shadow file. Just for housekeeping and security...at # least for the ultra paranoid. nexec -e "rm -f $TMP_SHADOW_FILE" if [[ $? != 0 ]] ; then print "Unable to delete temporary shadow file $TMP_SHADOW_FILE.\n" exit 1 fi } # # # # # # # # Change AIX password. Chkpasswd is a batch password changing utility that comes with AIX. We could just pipe in the new password from the command line, but creating a user:passwd file just seems right. We don't want to open up the unencrypted password to just anyone, so we are creating a crypt hash first and entering that into the file. Just remember, the temporary user:password file will be overwritten every time this is run. The script will also attempt to delete the temporary file after completion.

sub aix_pw_change () { if [ $USER_NAME = "root" ] ; then echo " Not Authorized to Reset Password for ROOT" exit 1 fi nexec -e chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s "$USER_NAME" nexec -e "echo $USER_NAME:$USER_PASSWORD | /usr/bin/chpasswd -f NOCHECK " if [[ $? != 0 ]]; then print "Wasn\'t able to change user $USER_NAME\'s password on system $HOST_NAME. OS type: $SYSTEM_OS." exit 1 fi } # Ensure that we've received the proper number of arguments if [[ $#argv != 2 ]]; then print_usage fi # Execute password change subfunction depending on operating # system. All supported operating systems are listed.

if [[ $SYSTEM_OS = "WindowsNT" ]] ; then #windows_pw_change print "This script does not work with Windows machines.\n" print_usage elif [[ $SYSTEM_OS = "Linux" ]] ; then linux_pw_change elif [[ $SYSTEM_OS = "SunOS" ]] ; then solaris_pw_change elif [[ $SYSTEM_OS = "AIX" ]] ; then aix_pw_change else print "Strange. I don\'t know anything about this operating system called \" $SYSTEM_OS.\" Use something else.\n" ; exit 1 fi