Change Passwords with SSH and Expect

A few years ago I was supporting a very diverse environment with Solaris, AIX, and Linux servers; some with password logins, public/private key authentication, and several with SecurID passwords. All accounts were local, passwords expired every three months, and the accounts locked after three failed logins — so you can imagine the mess this created if you didn’t go around every server at least every three months. After I’d accumulated about half a dozen passwords, I wrote an Expect script to login and change my password and wrapped it with a bash script to try every old password I had. Since some servers needed a SecurID number to login, the bash script would pause on those and prompt me for the token before continuing.

I’ve seen a few Expect scripts to change passwords, but none that can handle one-time tokens (like SecurID), expired passwords (changed before arriving at the prompt), and the variety of prompts to support Solaris, AIX, Linux, etc. This morning I spent a some time cleaning up and streamlining the code, but I’m sure it can be improved and optimized even more. If you use this code, and find ways to improve it, please let me know in the comments below and I’ll update the script for everyone’s benefit.

The script is also available on GitHub here:

Download the sshchpwd.exp script.

Find this content useful? Share it with your friends!