Change Passwords for All Users on Linux Server

security password linux scripting command-line-interface

I've got 10 Linux servers that I need to lock down, by resetting the passwords for every single user all at once. The story behind this is long, but the general idea is that I need it to happen very quickly at a specific time. I'm going to use a single, tough password for all the user accounts (just initially), so this doesn't need to read from a password file or anything like that.

So what I need is the best way to script this out so I can reset all the passwords at once. I can extract a list of the user accounts with the cat /etc/passwd | cut -f1 -d: command, but that ends up including all of the accounts, including system accounts that I assume I shouldn't mess with.

So what's my best option here?

NOTE! When resetting passwords you also need to make sure to wipe anything extra from the ~/.ssh/authorized_keys file. Didn't remember this until after - thankfully I'd pretty much locked the servers down tightly and there was nothing in authorized_keys other than server-to-server stuff.


Solution 1:

You can select the UIDs >= 500 to make sure you only get real users and not system accounts and then use the option --stdin of passwd to change the passowrd.

Something like this should work:

 while IFS=: read u x nn rest; do  if [ $nn -ge 500 ]; then echo "YOURSTRONGPASSWORD" |passwd --stdin $u; fi  done < /etc/passwd

Solution 2:

You can use something like the "newusers" command to update user passwords in batch mode. Create a file containing user:password combinations and load it via newusers... The password is entered unencrypted, but will be encrypted during the process.

newusers userpass.txt

userpass.txt would look like the /etc/passwd file. Same format.

I would copy /etc/passwd to a new file, delete the lines of system accounts and replace the second field, "x" with the generic password you wish to use, and then reimport using the newusers command.

Solution 3:

Edit the shadow DB with:

vipw -s

which will lock the file against updates too, and then use your text-editor to replace the second field of every line which has a pw field.

Eg, use:

$ openssl rand -base64 12
gw9H5sqr8YioMdwd
$ openssl passwd -1
Password: 
Verifying - Password: 
$1$Nx/XBIYy$JGPhkX8DC9uJqggEFuKxP0

and then as root, use vipw -s; assuming that your text $EDITOR/$VISUAL is vi(m), then vipw will dump you into that and you might do:

:g/^[^:]*:[^*!:][^:]*:/s,:[^:]*,:$1$Nx/XBIYy$JGPhkX8DC9uJqggEFuKxP0:,

which is a basic pattern match, and on lines matching that pattern do a substitution (just once per line). The pattern match excludes lines with a password field of '!' or '*', so only sets passwords for users who already have passwords set, no matter what the uid is; this will protect you against cases where a packaging system created a "system" account with a high uid or whatever other nonsense some packager produced.

Note this will also reset the root password. If you want to exclude that, and root is on the first line, then replace the initial :g with :2,$g

Related

Karmic Koala (Ubuntu): enable remote x clients through TCP
How does RAID detect a faulty HD?
What proportion of DBA skills are platform-independent?
TFTP uploads failing
Multiple AWS instances and one database
Ubuntu keyboard detection from bash script
Debian - Secure system from current administrator
How to remove a tagged block of text in a file?
How to delete a file with a space at end of the name and hidden attributes?
How does a web server/the http protocol handle version control and compression?
Can a holomorphic function satisfy $f(1/n)=1/(n+1)$?
Why is this extension of Galois?