Change Passwords with SSH and Expect

A few years ago I was supporting a very diverse environment with Solaris, AIX, and Linux servers; some with password logins, public/private key authentication, and several with SecurID passwords. All accounts were local, passwords expired every three months, and the accounts locked after three failed logins — so you can imagine the mess this created if you didn’t go around every server at least every three months. After I’d accumulated about half a dozen passwords, I wrote an Expect script to login and change my password and wrapped it with a bash script to try every old password I had. Since some servers needed a SecurID number to login, the bash script would pause on those and prompt me for the token before continuing.

I’ve seen a few Expect scripts to change passwords, but none that can handle one-time tokens (like SecurID), expired passwords (changed before arriving at the prompt), and the variety of prompts to support Solaris, AIX, Linux, etc. This morning I spent a some time cleaning up and streamlining the code, but I’m sure it can be improved and optimized even more. If you use this code, and find ways to improve it, please let me know in the comments below and I’ll update the script for everyone’s benefit.

The script is also available on GitHub here: https://github.com/jsmoriss/sshchpwd

Download the sshchpwd.exp script.

4 thoughts on “Change Passwords with SSH and Expect

  1. WARNING: Your password has expired.
    You must change your password now and login again!
    Changing password for user ed856685.
    Changing password for ed856685
    (current) UNIX password: (detected additional password prompt – old password)
    (continuing expect loop)

    New UNIX password: (detected additional password prompt – old password)
    (continuing expect loop)

    Password unchanged
    New UNIX password: (detected additional password prompt – old password)
    (continuing expect loop)

    Password unchanged
    New UNIX password: (detected additional password prompt – old password)
    (continuing expect loop)

    Password unchanged
    passwd: Authentication token manipulation error
    Connection to emghlc002 closed.
    send: spawn id exp6 not open
    while executing
    “send “\n””
    (file “./changepwssh.sh” line 145)

    its like its not seeing that is asking for new password. Can you please help?

    Thanks

  2. Forgive me for not being real smart on this but where do I put the current pw and the new pw in the script?

    Thanks
    Greg

  3. The mess is changing passwords every three months. Who thought about this awful thing is surely work on windows, a different world.
    I faced a similar situation in the place I’ve been working in for 15 years. Then I resigned (that was not the only reason, though). It’s better to become a farmer than continue with this paranoia.
    Greetings

    • Environment variables, as shown in the example:

      js.

Comments are closed.