Change Solaris 10 password with script - unix

Can somebody help me to create a script that changes my password for a Solaris based server? I am not the root user. Usually I change my password like this: I type in the terminal "passwd" then it asks me to enter login password, I insert it, then it ask for the new password, I insert it, then it asks to re-enter new password, I insert it. Does anybody knows how to do this via script? Or even better how to change the password by a command written in only one line?
I want to create a java app that connects to the server and changes the password.

What you're trying to do is deliberately almost impossible to accomplish - because it's a very, very bad, insecure idea to script passwords. Doing so almost certainly compromises the password and therefore the account and everything it has access to.
The Solaris passwd utility uses getpassphrase() to read passwords directly from the controlling terminal - the keyboard. You can find the source code here.
From the getpassphrase() man page:
Description
The getpass() function opens the process's controlling terminal,
writes to that device the null-terminated string prompt, disables
echoing, reads a string of characters up to the next newline character
or EOF, restores the terminal state and closes the terminal.
The getpassphrase() function is identical to getpass(), except
that it reads and returns a string of up to 257 characters in length.

Related

encrypt an emacs org mode file

I would like to do full file encryption of an org mode file. I would like just to have a password to open it - I believe its called symmetric encryption - no keyrings, public keys, etc because I know nothing about that.
So far I have learned that all I have to do is save an org mode file ending in .gpg or .org.gpg, and when I save, I get:
Select recipients for encryption.
If no one is selected, symmetric encryption will be performed.
- ‘m’ to mark a key on the line
- ‘u’ to unmark a key on the line
[Cancel][OK]
I just click OK and I am prompted for the password. Wonderful.
When I close Emacs and view the file in another text editor, I can see the file is encrypted. Wonderful.
The problem comes in when I open the encrypted file - Emacs does not prompt me for the password. Emacs does report it decrypted the file and then it opens it.
I would like to be prompted for the password.
I have tried many different commands in both .emacs and in the file itself and nothing works. Eg:
(setq epa-file-cache-passphrase-for-symmetric-encryption nil)
I find that most articles seem to be old or for different versions of gpg or different types of encryption and so the commands suggested are not suitable.
What is the minimum amount of commands and what are those commands that I need to use to make sure encryption/decryption functions properly and securely and i will be prompted for the password each time I open the file?
I am using:
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
See this question on the Emacs SE site. It's a matter of configuring the default-cache-ttl setting in ~/.gnupg/gpg-agent.conf. The default is 300 seconds (5 mins), so the password is cached in gpg-agent for that long. Setting it to 0 makes sure that it is not cached.

How to change the password via ssh on airOS8 for UBNT WA v8.x boards

How can I change the user's password over ssh connection (not via browser interface) on the UBNT (Ubiquity Network) device, more specifically airOS8 WA v8.x board?
I want to avoid the ridiculous restriction imposed by their web interface on the password complexity (the only thing they don't require in the password is the unicorn's blood). I don't feel comfortable with someone else telling me what my passwords should look like (for my own well being, of course), so I'd like to change it via ssh connection, where this restriction is not being imposed.
I followed the discussion on their forums, which is just a useless bike-shedding over the opinions if the developers should impose such restrictions (without the switch to turn that off) or not.
I found the way to do this and wanted to share with others, who need to do the same thing.
First, log in to your device over an ssh connection. Then, issue a passwd command to change your password. If you now just reboot your device, the new password won't be saved, so read on.
Next, you need to copy the new password hash to a file named /var/tmp/system.cfg. So, first, type cat /etc/passwd, to see the new password hash, which should look something like this:
ubnt:$1$ssssssss$hhhhhhhhhhhhhhhhhhhhhh:0:0:Administrator:/etc/persistent:/bin/sh
where ssssssss is the Salt and hhhhhhhhhhhhhhhhhhhhhh is the Hash of the new password. We need to copy all that to the /var/tmp/system.cfg file, so type:
vi /var/tmp/system.cfg and in there, find the line that starts with users.1.password= and change it to be like this (press 'I' for Insert operation):
users.1.password=$1$ssssssss$hhhhhhhhhhhhhhhhhhhhhh
where Salt and Hash will be something randomly generated. When you finish changing that line, press Escape key and then save/quit the file (pressing colon, 'w', 'q' and Enter key, like ':wq')
Once you're back in the shell, type save to save this configuration permanently and then type reboot to check if your password survived the reboot process.
That should be it.
Thanks, but much better is to use a hash of default password ubnt, to get it, just run grep users.1.password /var/etc/default.cfg

Getting username of current user in kernel space

I'm trying to implement a system call which prints hello "current username". I tried using getpwuid(getuid()) but didn't work cause I was unable to include pwd.h or unistd.h or sys/types.h. I currently have no idea how to do the work.
Linux kernel has no notion about username; it knows only user identificator (uid).
Mapping from uid to username is contained in user database, which is stored as a file /etc/passwd. You need to parse this file for extract username.

Prompt user for password with dialog window when using sudo

I need to execute a command with sudo and want to display a dialog window for the user to enter their credentials. Attempts to customize a prompt with Applescript have been nothing short of excruciating and using the built in "do shell script with with administrator privileges" doesn't allow for customizing the window so the user knows where the request is coming from.
Surely, there is a way to display a window, have the user enter their credentials and send the values back to sudo to execute the command? cocoasudo looks promising but it also writes "cocoasudo" in the prompt window which I need to replace with the name of my application. Has anyone found a solution for implementing this kind of functionality?
Building custom windows is beyond the scope of basic applescript. You will need to expand your programming skills if you want this. You'll need to learn how to leverage to tools that Apple supplies for creating windows and such. Bottom line is you'll need to learn either AppleScriptObjC or Objective-C/Cocoa APIs and how to use them in Xcode.
With that said, if you're not into learning new stuff then use the tools you have. Something like this will work. You can customize the icon, the buttons, the text etc. you can even have a hidden answer to protect the user when entering passwords. There's lots you can do with Applescript without further learning...
display dialog "OSAScript will need an Admin User name and password in order to make your changes." & return & return & "Please enter an admin username." default answer "" with icon 2
set username to text returned of result
display dialog "OSAScript will need an Admin User name and password in order to make your changes." & return & return & "Please enter an admin password." default answer "" with icon 2 with hidden answer
set pssword to text returned of result
do shell script "osascript -e \"return 1\"" user name username password pssword with administrator privileges
In addition, consider that once you authenticate with sudo, you don't need to provide a password again for the next five minutes. That doesn't directly solve your problem, but it gives you more options for the way you interact with the user. The -n option to sudo prevents it from prompting for a password (the command runs, or sudo quits with an error).
You could use -n in combination with the -A option, which causes sudo to run a separate program whose only job is to collect and output a password. Would that let you use AppleScript to better do what you want?
If you are familiar with Javascript, you can use the sudo-prompt module for Node to run your command using sudo and to prompt with a dialog window if necessary. The dialog is a native prompt raised by the operating system so that the user's password is never exposed to your application. You can also provide the name and icon of your application on macOS. The module also works on Windows and Linux.

How to Script Automated Root Password Changes?

Currently our process consists of logging into each *nix server and manually changing the password for each. My question is, what is a good way to automate this? I'm thinking of possibly a couple different ways to do this and would like input from others on what they recommend, use, etc.
One way I was thinking is a text file with a list of servers that need the password change and a script that prompts the user for the new password, stores it temporarily in the script and then remote connects into each server and runs the commands. Having a check to make sure the server is reachable or a timeout on the remote connection would be a good idea. Then have output to the console so the person running the script can see what servers were successful and which ones were not.
I was trying to think of another fully automated solution, but couldn't think of a good way to securely store the new password. Plus it is not a huge deal to me to have some user interaction and have to manually start the script as we only would need to do this 6 times a year.
Any thoughts, help, ideas would be greatly appeciated.
openssl passwd -1 $rootpw
Where $rootpw holds the string that will be your root password.
This will output a crypted string that you can just put in the file or whatever. I use this on a script that sets up virtual server instances that are provisioned from a database. I compute this hash before sending it over the network so the script that sets up the server can just use this hash instead of having to send it plain text.
To answer your question, each server would compute the hash slightly differently and result in a different hash, but all of those hashes would equate to the same password. You could use any one of these hashes and they would be functionally equivalent when used on any server, even though the actual content of the hash is different.
For example, I hashed foobar and these are the results:
rootpw=foobar
openssl passwd -1 $rootpw
$1$6pXamKGD$TKQqON1prArop7DpLOyAk1
openssl passwd -1 $rootpw
$1$4A4Mn16f$P7ap2AqNMRK8m72bG/Bve0
openssl passwd -1 $rootpw
$1$DyhsWEMX$i2wH6JpAqoHNFZ0YOBVHj/
openssl passwd -1 $rootpw
$1$m27FIj5e$LZPxVniAeUoZcuUoNHK8c/
openssl passwd -1 $rootpw
$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0
Each of those hashes are different even when computed on the same machine but any of them can be used to equate to the password 'foobar' on any machine.
So just open /etc/shadow and paste that in there where you find the line:
root:$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0:14415:0:99999:7:::
In my script I explode it at the :'s and update element [1] then concatenate the array back to a string and replace the string in the file. You can do it differently if you want, especially if you know the old value (which you can get by exploding it into an array).
I know this question is a few months old so you probably figured it out, but I'm putting this out there for any future googler's coming along and finding this.
You should compute whatever hash are your servers computing on a password and send passwords in this secured, hashed form, ready to put into /etc/shadow.
I do not know however how to do that in practice.

Resources