Originally published March 25, 2020 @ 4:48 pm
On occasion you may need to check if an account has a specific password. For example, when you build VMs, you may use some default passwords for some default accounts (i.e. root) that should be changed later by your password management application.
Except that the password management application in question is about as reliable as a Nigerian bank. In the example below we are checking if the root account is using the default password that should’ve been changed, but, for some reason, wasn’t.
Note: this process requires the sshpass utility that can be installed with yum -y install sshpass or apt-get install sshpass. You also need to have openssl installed, but you probably already have it.
# Enter the known password
read -s p
# Set the username
u=root
if [ -x /usr/bin/sshpass ]
then
if [ $(/usr/bin/sshpass -p "${p}" /usr/bin/openssl passwd -$(/bin/grep -m1 "^${u}:" /etc/shadow | \
awk -F':' '{print $2}' | awk -F'$' '{print $2}') \
-salt $(/bin/grep -m1 "^${u}:" /etc/shadow | \
awk -F':' '{print $2}' | awk -F'$' '{print $3}') | \
/bin/grep -wc "$(/bin/grep -m1 "^${u}:" /etc/shadow | \
awk -F':' '{print $2}')") -gt 0 ]
then
echo "$(date +'%Y-%m-%d %H:%M:%S'),$(hostname | awk -F'.' '{print $1}'),change ${u} password"
fi
fi
Sample run:
root@DESKTOP-GKM9P85:~/twurl/bin# u=igor
root@DESKTOP-GKM9P85:~/twurl/bin# read -s p
root@DESKTOP-GKM9P85:~/twurl/bin# if [ -x /usr/bin/sshpass ]
> then
> if [ $(/usr/bin/sshpass -p "${p}" /usr/bin/openssl passwd -$(/bin/grep -m1 "^${u}:" /etc/shadow | \
> awk -F':' '{print $2}' | awk -F'$' '{print $2}') \
> -salt $(/bin/grep -m1 "^${u}:" /etc/shadow | \
> awk -F':' '{print $2}' | awk -F'$' '{print $3}') | \
> /bin/grep -wc "$(/bin/grep -m1 "^${u}:" /etc/shadow | \
> awk -F':' '{print $2}')") -gt 0 ]
> then
> echo "$(date +'%Y-%m-%d %H:%M:%S'),$(hostname | awk -F'.' '{print $1}'),change ${u} password"
> fi
> fi
2020-03-25 16:18:22,DESKTOP-GKM9P85,change igor password
root@DESKTOP-GKM9P85:~/twurl/bin#
Here’s an example of how to run this command via Salt cmd.run on multiple systems. It’s just a matter of escaping the right $ and ":
# Enter the known password
read -s p
# Set the username
u=root
salt "prod*" cmd.run "if [ -x /usr/bin/sshpass ]; then if [ $(/usr/bin/sshpass -p \"${p}\" /usr/bin/openssl passwd -$(/bin/grep -m1 \"^${u}:\" /etc/shadow | awk -F':' '{print \}' | awk -F'$' '{print \}') -salt $(/bin/grep -m1 \"^${u}:\" /etc/shadow | awk -F':' '{print \}' | awk -F'$' '{print \}') | /bin/grep -wc \"$(/bin/grep -m1 \"^${u}:\" /etc/shadow | awk -F':' '{print \}')\") -gt 0 ]; then echo \"$(date +'%Y-%m-%d %H:%M:%S'),$(hostname | awk -F'.' '{print \}'),change ${u} password\"; fi; fi 2>/dev/null" 2>/dev/null
Experienced Unix/Linux System Administrator with 20-year background in Systems Analysis, Problem Resolution and Engineering Application Support in a large distributed Unix and Windows server environment. Strong problem determination skills. Good knowledge of networking, remote diagnostic techniques, firewalls and network security. Extensive experience with engineering application and database servers, high-availability systems, high-performance computing clusters, and process automation.
