I would like a way to update my password on a remote Ubuntu 10.4 box with fabric.
I would expect my fabfile.py would look something like this:
def update_password(old_pw, new_pw):
# Connects over ssh with a public key authentication
run("some_passwd_cmd --old %s --new %s" % (old_pw, new_pd))
Unfortunately the only command I know of that lets one change the password is passwd, and on Ubuntu 10.4 there doesn't seem to be any way to pass in the new (or old) password as an argument to passwd.
What command could one use to change a user's password on Ubuntu 10.4 via fabric?
EDIT:
I've had a look at usermod -p, and that may work but it isn't recommended by the man page.
EDIT: For some reason usermod -p wasn't working either over fabric.
As well, I've tried a (somewhat insecure) variation on mikej's answer that did solve the problem:
# connecting & running as root.
from fabric.api import *
from fabric.contrib import files
files.append("%s\n%s" % (passwd, passwd), '.pw.tmp')
# .pw.tmp:
# PASSWD
# PASSWD
run("passwd %s < .pw.tmp" % user)
run("rm .pw.tmp")
It's not a very elegant solution, but it works.
Thank you for reading.
Brian
You could feed the new and old passwords into passwd using echo e.g.
echo -e "oldpass\\nnewpass\\nnewpass" | passwd
(the -e option for echo enables interpretation of backslash escapes so the newlines are interpreted as such)
The trick is to use a combination of usermod and Python’s crypt to change your password:
from crypt import crypt
from getpass import getpass
from fabric.api import *
def change_password(user):
password = getpass('Enter a new password for user %s:' % user)
crypted_password = crypt(password, 'salt')
sudo('usermod --password %s %s' % (crypted_password, user), pty=False)
I use chpasswd on Ubuntu 11.04
fabric.api.sudo('echo %s:%s | chpasswd' % (user, pass))
Note:
Normally this pattern doesn't work:
$ sudo echo bla | restricted_command
because only the 'echo' gets elevated privileges, not the 'restricted_command'.
However, here it works because when fabric.api.sudo is caled
with shell=True (the default), fabric assembles the command like this:
$ sudo -S -p <sudo_prompt> /bin/bash -l -c "<command>"
sudo spawns a new shell (/bin/bash), running with root privileges, and
then that escalated shell runs the command.
Another way to pipe with sudo is to use sudo tee:
Out of interest, I have to do a similar task on a collection of Solaris boxes (add a whole lot of users, set their password). Solaris usermod doesn't have a --password option, so in the past I've used Expect to do this, but writing Expect scripts can be painful.
So this time I'm going to use Python's crypt.crypt, edit /etc/shadow directly (with backups, of course). http://docs.python.org/release/2.6.1/library/crypt.html
Commenters have suggested using various echo incantations piped to passwd. AFAIK this will never work, as passwd is programmed to ignore input from stdin and only accept input from an interactive tty. See http://en.wikipedia.org/wiki/Expect
I had no luck with the other methods. Thought I would share my method that I used for a once-off throwaway script.
It uses auto-responder to type in passwords at the prompts. I then immediately expire all the passwords so that users have a chance to choose their own.
This is not the most secure method, but depending on your use case it may be useful.
from collections import namedtuple
from getpass import getpass
import hashlib
from invoke import Responder
import uuid
from fabric import Connection, Config
User = namedtuple('UserRecord', ('name', 'password'))
def set_passwords(conn, user):
print(f'Setting password for user, {user.name}')
responder = Responder(
pattern=r'(?:Enter|Retype) new UNIX password:',
response=f'{user.password}\n',
)
result = conn.sudo(f'passwd {user.name}', warn=True, hide='both',
user='root', pty=True, watchers = [responder])
if result.exited is not 0:
print(f'Error, could not set password for user, "{user.name}". command: '
f'{result.command}; exit code: {result.exited}; stderr: '
f'{result.stderr}')
else:
print(f'Successfully set password for {user.name}')
def expire_passwords(conn, user):
print(f'Expiring password for user, {user.name}')
cmd = f'passwd --expire {user.name}'
result = conn.sudo(cmd, warn=True, user='root')
if result.exited is not 0:
print(f'Error, could not expire password for user, "{user.name}". '
f'command: {result.command}; exit code: {result.exited}; stderr: '
f'{result.stderr}')
else:
print(f'Successfully expired password for {user.name}')
def gen_password(seed_string):
# Don't roll your own crypto. This is for demonstration only and it is
# expected to only create a temporary password that requires changing upon
# initial login. I am no cryptography expert, hence this alternative
# simplified answer to the one that uses crypt, salt, etc -
# https://stackoverflow.com/a/5137688/1782641.
seed_str_enc = seed_string.encode(encoding='UTF-8')
uuid_obj = uuid.UUID(int=int(hashlib.md5(seed_str_enc).hexdigest(), 16))
return str(uuid_obj)[:8]
def some_function_that_returns_something_secret(conn):
return f'dummy-seed-{conn}'
sudo_pass = getpass('Enter your sudo password:')
config = Config(overrides={'sudo': {'password': sudo_pass}})
with Connection('vm', config=config) as vm_conn:
print(f'Making a new connection to {vm_conn.host}.')
# I usually use the sudo connection here to run a command that returns a
# reproducible string that only the sudo user could get access to be used
# for user_record.password bellow. Proceed with caution, this is not a
# recommended approach
seed = some_function_that_returns_something_secret(vm_conn)
user_record = User(name='linux_user', password=gen_password(seed))
set_passwords(vm_conn, user_record)
expire_passwords(vm_conn, user_record)
print(f'Done! Disconnecting from {vm_conn.host}.')
# So that you know the temporary password, print user_record or save to file
# `ssh linux_user#vm` and it should insist that you change password
print(user_record)
Related
I want to log in to two hosts using parallel-ssh and execute su command. Then I want to confirm that I am the root user by printing out whoami
Code:
hosts = ['myHost1', 'myHost2']
client = ParallelSSHClient(hosts, user='myUser', password='myPassword')
output = client.run_command('su')
for host in output:
stdin = output[host].stdin
stdin.write('rootPassword\n')
stdin.flush()
client.join(output)
output = client.run_command('whoami')
for host, host_output in output.items():
for line in host_output.stdout:
print("Host [%s] - %s" % (host, line))
Result:
Host [myHost1] - myUser
Host [myHost2] - myUser
Obviously, I expect root in the output. I am following the documentation.
I've tried using all different line endings instead of \n and nothing has changed.
How can I execute su command using parallel-ssh?
Try this:
**def exec_command(hosts):
strr = ""
client = ParallelSSHClient(hosts, user='admin', password='admin_password')
cmd = 'echo root_password |su -c "commmand" root'
output = client.run_command(cmd)
client.join()
for host_out in output:
for line in host_out.stdout:
strr+=line+" "
return strr
**
'echo root_password |su -c "command" root'
try to put sudo=True at the end of run_command
output = client.run_command(<..>, sudo=True)
like in docs
It turns out that what I am trying to do is not achievable.
The first problem
I found in this post that all commands are in their own channel. That means that even if su would be successful it wouldn't affect the second command. The author of the post recommends running
su -c whoami - root
The second problem
I managed to debug the problem even further by changing host_output.stdout to host_output.stderr It turned out that I receive an error which previously was not being shown on the terminal:
standard in must be a tty
Possible solutions to this problem are here . They didn't work for me but might work for you.
For me workaround was to allow on all my hosts root login. And then in parallel-ssh I log in as a root already with all the rights in place.
i defined a function that switch my proxy settings every now and then,
problem is that i want it to run in a loop without manual intervention. But when i execute the program in sudo it gets called the first time en runs smoothly, second time it asks me for my sudo password. Here is the bit of code:
def ProxySetting(Proxy):
print "ProxyStetting(Proxy)"
call("networksetup -setwebproxy 'Wi-Fi' %s" "on" % Proxy, shell = True)
call("networksetup -setsecurewebproxy 'Wi-Fi' %s" "on" % Proxy, shell = True)
call("networksetup -setftpproxy 'Wi-Fi' %s" "on" %Proxy , shell=True)
I could use threading but am sure there is a way of doing it that wont cause problems. How can i hard code my sudo password so that it runs at the beginning of the function?
Here you can execute a command sudo without interactive prompt asking you to type your password :
from subprocess import call
pwd='my password'
cmd='ls'
call('echo {} | sudo -S {}'.format(pwd, cmd), shell=True)
Another method of passing your password to a shell command through python that wouldn't involve it showing up in any command history or ps output is:
p = subprocess.Popen(['sudo', self.resubscribe_script], stdin=subprocess.PIPE)
p.communicate('{}\n'.format(self.sudo_password))
Note that using communicate will only allow one input to be given to stdin; there are other methods for getting a reusable input.
I am trying to login as a user using pexpect and trying to print all the crons available :
import pexpect
import os, time
passwd = "mypass"
child = pexpect.spawn('su myuser')
child.expect('Password:')
child.sendline(passwd)
child.expect('$')
child.sendline('crontab -l')
i =child.expect(['%','.*$', '$' ])
print i # prints 1 here so, the shell is expected.
print child.before # this doesn't print anything though.
This code doesn't seem to be working and prints empty line.
Couldn't figure out the issue with this code
If there is any better way to list cron job of other user, given username and password
Any pointers or suggestions would be much appreciated.
If you can arrange to configure password-less sudo access, then the above simply becomes:
import subprocess
output = subprocess.check_output('sudo -u myuser crontab -l', shell=True)
If you need to continue using su, then you can pass it a command and avoid trying to parse shell prompts:
import pexpect
passwd = "mypass"
child = pexpect.spawn('su myuser -c "crontab -l"')
child.expect('Password:')
child.sendline(passwd)
child.expect(pexpect.EOF)
print child.before
I'm trying to create a powershell script which will enter a password coming from the Credential Manager into the password input of a Python script. In this older post, I found some information on how to start a process with Powershell and then enter some text in the STDIN but for some reason, this method does not work for me. I execute the python script and it just keeps waiting for a password input in the Powershell command line window.
This is the code and it executes the Python script correctly which asks for a password, but nothing happens after that. I can enter the password manually and click enter, but that is not the purpose of course. Then I can just execute the python script by itself.
$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
. $executingScriptDirectory\CredMan.ps1
$launcherScript = Join-Path $executingScriptDirectory "launcher.py"
$credTarget = 'some-target-in-credential-manager'
Write-Host "Loading password from Windows credmgr entry '$credTarget' ..."
[object] $cred = Read-Creds $credTarget
if ($cred -eq $null)
{
Write-Host ("No such credential found: {0}" -f $credTarget)
Exit 2
}
# Found the credential; grab the password and boot up the launcher
[string] $password = $cred.CredentialBlob
Write-Host "Launching $launcherScript ..."
Write-Host "Password: '$password'"
$psi = New-Object System.Diagnostics.ProcessStartInfo;
$psi.Arguments = "$launcherScript "
$psi.FileName = "python.exe";
$psi.UseShellExecute = $false; # start the process from its own executable file
$psi.RedirectStandardInput = $true; # enable the process to read from stdin
$p = [System.Diagnostics.Process]::Start($psi);
Start-Sleep -s 2 # wait 2 seconds so that the process can be up and running
$p.StandardInput.WriteLine($password);
$p.WaitForExit()
What could the problem be? The password is requested in the python script with this line and so uses the getpass module.
password = getpass.getpass("Enter your password: ")
Thank you for your help.
If you need any more information, just request it :).
I suppose the Python process does not read the password from the STDIN stream but directly from the terminal the process is attached to. This terminal stream is not subject to any redirects you happen to install before starting the subprocess, so writing to the process's STDIN will not influence this. The fact that you can type your password directly using the keyboard into the Python process and that it accepts it proves me right, I'd say.
In your case you need to tweak the Python process to read the PW from somewhere else, e. g. by passing a special option (totally depending on your Python process of course) or by patching the Python source itself.
Maybe there also are Windows-specific ways to simulate keyboard presses, but that I would call a very ugly a hack and thus cannot recommend.
Alfe, thank you for showing me the right direction to solve this problem.
I've adjusted the python script so that it accepts parameters on the command line and the parameter for the password can be given after the -p option, so like this:
$ script.py -p "password"
To do this from the powershell script, I used this code to first get the credential out of the Windows Credential Manager and give it as a parameter to the python script.
I used an existing script to be able to get the credentials out of the credentials manager, namely the CredMan.ps1 script.
# Get the path of where this script is being invocated to reference to the script files in the same directory as this script.
$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
# Include external script to speak with Credential Manager
. $executingScriptDirectory\CredMan.ps1
$launcherScript = Join-Path $executingScriptDirectory "script.py"
$credentialTarget = "name-of-credential-in-manager"
[object] $cred = Read-Creds $credentialTarget
if ($cred -eq $null) {
Write-Host ("No such credential found: {0}" -f $credentialTarget)
Exit 2
}
# Found the credential; Grab the password and execute the script with the password
[string] $password = $cred.CredentialBlob
# Execute python script with password given as parameter
$exe = "python.exe"
&$exe $launcherScript -p $password
Thank you for your help and I hope you understand the given answer.
Python script is designed to run with elevated credentials, unfortunately
it still prompts me for password
when I enter the correct password it doesn't work
Here is script1, which calls script2 with elevated credentials
import os
import sys, subprocess, socket, string
import wmi, win32api, win32con
import win32com.shell.shell as sh
ASADMIN = '/user:DOMAIN\username'
os.system('"runas /user:DOMAIN\username "D:/Python27/python.exe script2.py sender-ip=10.10.10.10 < password.txt""')
sys.exit(0)
if sys.argv[-1] != ASADMIN:
script = os.path.abspath(sys.argv[0])
params = ''.join([ASADMIN] + ['D:\Python27\python.exe',script] + sys.argv[1:])
sh.ShellExecuteEx(lpVerb='runas',lpFile=sys.executable,lpParameters=params)
sys.exit(0)
Here is script2
import sys, subprocess, socket, string
import wmi, win32api, win32con
for args in [item.strip('sender-ip=') for item in sys.argv[1:]]:
userIP = args
userloggedon = ""
# perform system lookup of IP address
userIP = "\\\\" + userIP
pst = subprocess.Popen(
["D:\pstools\psloggedon.exe", "-l", "-x", userIP],
stdout = subprocess.PIPE,
stderr = subprocess.PIPE
)
out, error = pst.communicate()
userLoggedOn = out.split('\n')[1].strip()
print 'userId={}'.format(userLoggedOn)
f = open('D:\SymantecDLP\Protect\plugins\output.txt', 'w')
f.write('userId={}'.format(userLoggedOn))
output.txt is not created
Any ideas?
EDIT
I also read this thread, How to supply password to runas command when executing it from java
but no matter what I try I keep getting the error
Attempting to start c:\test.bat as user "DOMAIN\username" ...
RUNAS ERROR: Unable to run - c:\test.bat
1326: Logon failure: unknown user name or bad password.
Let's talk about your problems one at the time.
1. It still prompts me for password
In the line
os.system('"runas /user:DOMAIN\username "D:/Python27/python.exe script2.py sender-ip=10.10.10.10 < password.txt""')
you're providing the password to script2. runas command still need a password since is trying to run a program as another user.
2. When I enter the correct password it doesn't work
Well ... The code does'n work that's clear. But, you have to be more specific when asking a question. Right now a look to your code and I can see that you're trying to do ping on a remote machine.
Might the remote machine has a firewall?
Have you tryed doing ping manually?
Edit: The output.txt file is not created, and running the script don't tell you nothing about error writting the file, obviously your code is hitting one of the sys.exit() lines.
You can use PsExec
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
You can supply a username and password and executing does not need to be elevated to admin:
psexec [\computer[,computer2[,...] | #file]]\ [-u user [-p psswd] [-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-][-a n,n,...] cmd [arguments]
Use the -e switch to give the same results as Runas /netonly:
-e Does not load the specified account’s profile.