|
0
|
1 #
|
|
|
2 # This scripts changes a password on the local system or a remote host.
|
|
|
3 # Connections to the remote (this can also be localhost) are made by ssh, rsh,
|
|
|
4 # telnet or rlogin.
|
|
|
5
|
|
|
6 # @author Gaudenz Steinlin <gaudenz@soziologie.ch>
|
|
|
7
|
|
|
8 # For sudo support alter sudoers (using visudo) so that it contains the
|
|
|
9 # following information (replace 'apache' if your webserver runs under another
|
|
|
10 # user):
|
|
|
11 # -----
|
|
|
12 # # Needed for Horde's passwd module
|
|
|
13 # Runas_Alias REGULARUSERS = ALL, !root
|
|
|
14 # apache ALL=(REGULARUSERS) NOPASSWD:/usr/bin/passwd
|
|
|
15 # -----
|
|
|
16
|
|
|
17 # @stdin The username, oldpassword, newpassword (in this order)
|
|
|
18 # will be taken from stdin
|
|
|
19 # @param -prompt regexp for the shell prompt
|
|
|
20 # @param -password regexp password prompt
|
|
|
21 # @param -oldpassword regexp for the old password
|
|
|
22 # @param -newpassword regexp for the new password
|
|
|
23 # @param -verify regexp for verifying the password
|
|
|
24 # @param -success regexp for success changing the password
|
|
|
25 # @param -login regexp for the telnet prompt for the loginname
|
|
|
26 # @param -host hostname to be connected
|
|
|
27 # @param -timeout timeout for each step
|
|
|
28 # @param -log file for writing error messages
|
|
|
29 # @param -output file for loging the output
|
|
|
30 # @param -telnet use telnet
|
|
|
31 # @param -ssh use ssh (default)
|
|
|
32 # @param -rlogin use rlogin
|
|
|
33 # @param -slogin use slogin
|
|
|
34 # @param -sudo use sudo
|
|
|
35 # @param -program command for changing passwords
|
|
|
36 #
|
|
|
37 # @return 0 on success, 1 on failure
|
|
|
38 #
|
|
|
39
|
|
|
40
|
|
|
41 # default values
|
|
|
42 set host "localhost"
|
|
|
43 set login "ssh"
|
|
|
44 set program "passwd"
|
|
|
45 set prompt_string "(%|\\\$|>)"
|
|
|
46 set fingerprint_string "The authenticity of host.* can't be established.*\nRSA key fingerprint is.*\nAre you sure you want to continue connecting.*"
|
|
|
47 set password_string "(P|p)assword.*"
|
|
|
48 set oldpassword_string "((O|o)ld|login|\\\(current\\\) UNIX) (P|p)assword.*"
|
|
|
49 set newpassword_string "(N|n)ew.* (P|p)assword.*"
|
|
|
50 set badoldpassword_string "(Authentication token manipulation error).*"
|
|
|
51 set badpassword_string "((passwd|BAD PASSWORD).*|(passwd|Bad:).*\r)"
|
|
|
52 set verify_string "((R|r)e-*enter.*(P|p)assword|Retype new( UNIX)? password|(V|v)erification|(V|v)erify|(A|a)gain).*"
|
|
|
53 set success_string "((P|p)assword.* changed|successfully)"
|
|
|
54 set login_string "(((L|l)ogin|(U|u)sername).*)"
|
|
|
55 set timeout 20
|
|
|
56 set log "/tmp/passwd.out"
|
|
|
57 set output false
|
|
|
58 set output_file "/tmp/passwd.log"
|
|
|
59
|
|
|
60 # read input from stdin
|
|
|
61 fconfigure stdin -blocking 1
|
|
|
62
|
|
|
63 gets stdin user
|
|
|
64 gets stdin password(old)
|
|
|
65 gets stdin password(new)
|
|
|
66
|
|
|
67 # alternative: read input from command line
|
|
|
68 #if {$argc < 3} {
|
|
|
69 # send_user "Too few arguments: Usage $argv0 username oldpass newpass"
|
|
|
70 # exit 1
|
|
|
71 #}
|
|
|
72 #set user [lindex $argv 0]
|
|
|
73 #set password(old) [lindex $argv 1]
|
|
|
74 #set password(new) [lindex $argv 2]
|
|
|
75
|
|
|
76 # no output to the user
|
|
|
77 log_user 0
|
|
|
78
|
|
|
79 # read in other options
|
|
|
80 for {set i 0} {$i<$argc} {incr i} {
|
|
|
81 set arg [lindex $argv $i]
|
|
|
82 switch -- $arg "-prompt" {
|
|
|
83 incr i
|
|
|
84 set prompt_string [lindex $argv $i]
|
|
|
85 continue
|
|
|
86 } "-password" {
|
|
|
87 incr i
|
|
|
88 set password_string [lindex $argv $i]
|
|
|
89 continue
|
|
|
90 } "-oldpassword" {
|
|
|
91 incr i
|
|
|
92 set oldpassword_string [lindex $argv $i]
|
|
|
93 continue
|
|
|
94 } "-newpassword" {
|
|
|
95 incr i
|
|
|
96 set newpassword_string [lindex $argv $i]
|
|
|
97 continue
|
|
|
98 } "-verify" {
|
|
|
99 incr i
|
|
|
100 set verify_string [lindex $argv $i]
|
|
|
101 continue
|
|
|
102 } "-success" {
|
|
|
103 incr i
|
|
|
104 set success_string [lindex $argv $i]
|
|
|
105 continue
|
|
|
106 } "-login" {
|
|
|
107 incr i
|
|
|
108 set login_string [lindex $argv $i]
|
|
|
109 continue
|
|
|
110 } "-host" {
|
|
|
111 incr i
|
|
|
112 set host [lindex $argv $i]
|
|
|
113 continue
|
|
|
114 } "-timeout" {
|
|
|
115 incr i
|
|
|
116 set timeout [lindex $argv $i]
|
|
|
117 continue
|
|
|
118 } "-log" {
|
|
|
119 incr i
|
|
|
120 set log [lindex $argv $i]
|
|
|
121 continue
|
|
|
122 } "-output" {
|
|
|
123 incr i
|
|
|
124 set output_file [lindex $argv $i]
|
|
|
125 set output true
|
|
|
126 continue
|
|
|
127 } "-telnet" {
|
|
|
128 set login "telnet"
|
|
|
129 continue
|
|
|
130 } "-ssh" {
|
|
|
131 set login "ssh"
|
|
|
132 continue
|
|
|
133 } "-ssh-exec" {
|
|
|
134 set login "ssh-exec"
|
|
|
135 continue
|
|
|
136 } "-rlogin" {
|
|
|
137 set login "rlogin"
|
|
|
138 continue
|
|
|
139 } "-slogin" {
|
|
|
140 set login "slogin"
|
|
|
141 continue
|
|
|
142 } "-sudo" {
|
|
|
143 set login "sudo"
|
|
|
144 continue
|
|
|
145 } "-program" {
|
|
|
146 incr i
|
|
|
147 set program [lindex $argv $i]
|
|
|
148 continue
|
|
|
149 }
|
|
|
150 }
|
|
|
151
|
|
|
152 # log session
|
|
|
153 if {$output} {
|
|
|
154 log_file $output_file
|
|
|
155 }
|
|
|
156
|
|
|
157 set err [open $log "w" "0600"]
|
|
|
158
|
|
|
159 # start remote session
|
|
|
160 if {[string match $login "rlogin"]} {
|
|
|
161 set pid [spawn rlogin $host -l $user]
|
|
|
162 } elseif {[string match $login "slogin"]} {
|
|
|
163 set pid [spawn slogin $host -l $user]
|
|
|
164 } elseif {[string match $login "ssh"]} {
|
|
|
165 set pid [spawn ssh $host -l $user]
|
|
|
166 } elseif {[string match $login "ssh-exec"]} {
|
|
|
167 set pid [spawn ssh $host -l $user $program]
|
|
|
168 } elseif {[string match $login "sudo"]} {
|
|
|
169 set pid [spawn sudo -u $user $program]
|
|
|
170 } elseif {[string match $login "telnet"]} {
|
|
|
171 set pid [spawn telnet $host]
|
|
|
172 expect -re $login_string {
|
|
|
173 sleep .5
|
|
|
174 send "$user\r"
|
|
|
175 }
|
|
|
176 } else {
|
|
|
177 puts $err "Invalid login mode. Valid modes: rlogin, slogin, ssh, telnet, sudo\n"
|
|
|
178 close $err
|
|
|
179 exit 1
|
|
|
180 }
|
|
|
181
|
|
|
182 set old_password_notentered true
|
|
|
183
|
|
|
184 if {![string match $login "sudo"]} {
|
|
|
185 # log in
|
|
|
186 expect {
|
|
|
187 -re $fingerprint_string {sleep .5
|
|
|
188 send yes\r
|
|
|
189 exp_continue}
|
|
|
190 -re $password_string {sleep .5
|
|
|
191 send $password(old)\r}
|
|
|
192 timeout {puts $err "Could not login to system (no password prompt)\n"
|
|
|
193 close $err
|
|
|
194 exit 1}
|
|
|
195 }
|
|
|
196
|
|
|
197 # start password changing program
|
|
|
198 expect {
|
|
|
199 -re $prompt_string {sleep .5
|
|
|
200 send $program\r}
|
|
|
201 # The following is for when passwd is the login shell or ssh-exec is used
|
|
|
202 -re $oldpassword_string {sleep .5
|
|
|
203 send $password(old)\r
|
|
|
204 set old_password_notentered false}
|
|
|
205 timeout {puts $err "Could not login to system (bad old password?)\n"
|
|
|
206 close $err
|
|
|
207 exit 1}
|
|
|
208 }
|
|
|
209 }
|
|
|
210
|
|
|
211 # send old password
|
|
|
212 if {$old_password_notentered} {
|
|
|
213 expect {
|
|
|
214 -re $oldpassword_string {sleep .5
|
|
|
215 send $password(old)\r}
|
|
|
216 timeout {puts $err "Could not start passwd program (no old password prompt)\n"
|
|
|
217 close $err
|
|
|
218 exit 1}
|
|
|
219 }
|
|
|
220 }
|
|
|
221
|
|
|
222 # send new password
|
|
|
223 expect {
|
|
|
224 -re $newpassword_string {sleep .5
|
|
|
225 send $password(new)\r}
|
|
|
226 -re $badoldpassword_string {puts $err "Old password is incorrect\n"
|
|
|
227 close $err
|
|
|
228 exit 1}
|
|
|
229 timeout {puts "Could not change password (bad old password?)\n"
|
|
|
230 close $err
|
|
|
231 exit 1}
|
|
|
232 }
|
|
|
233
|
|
|
234 # send new password again
|
|
|
235 expect {
|
|
|
236 -re $badpassword_string {puts $err "$expect_out(0,string)"
|
|
|
237 close $err
|
|
|
238 send \003
|
|
|
239 sleep .5
|
|
|
240 exit 1}
|
|
|
241 -re $verify_string {sleep .5
|
|
|
242 send $password(new)\r}
|
|
|
243 timeout {puts $err "New password not valid (too short, bad password, too similar, ...)\n"
|
|
|
244 close $err
|
|
|
245 send \003
|
|
|
246 sleep .5
|
|
|
247 exit 1}
|
|
|
248 }
|
|
|
249
|
|
|
250 # check response
|
|
|
251 expect {
|
|
|
252 -re $success_string {sleep .5
|
|
|
253 send exit\r}
|
|
|
254 -re $badpassword_string {puts $err "$expect_out(0,string)"
|
|
|
255 close $err
|
|
|
256 exit 1}
|
|
|
257 timeout {puts $err "Could not change password.\n"
|
|
|
258 close $err
|
|
|
259 exit 1}
|
|
|
260 }
|
|
|
261
|
|
|
262 # exit succsessfully
|
|
|
263 expect {
|
|
|
264 eof {close $err
|
|
|
265 exit 0}
|
|
|
266 }
|
|
|
267 close $err
|
