Changing a password with one command in FreeBSD - passwords

How can I, as a simple user, change my own password with one command (in one line) in FreeBSD. I tried using passwd --stdin but that seems like it's a Linux command only.

Use the pw command to take input from STDIN like this:
echo "mynewpassword" | pw usermod admin -h 0
See man pw for more details.

Just type passwd and follow the prompts.
Also man 1 passwd for documentation.
Update with a copy of my comment, below, from September 2013:
The whole point about passwd is to make that hard for automated password changers to guess passwords. If you have a port like expect on the system you could script it. If you are root, you could use pw usermod username -h0. If you're just an ordinary user, just do it interactively.

Related

finding out sudo password on ssh server

I need to do a sudo command on a ssh server.
It asks for password
[sudo] password for myname:
but it's apparently different from the password for ssh server itself.
Can sudo only be used by root?
If not, should I ask the maintenance people for the password?
Or is there a way to set it up myself?
See : http://www.gratisoft.us/sudo/sudoers.man.html
Specifically see rootpw, targetpw , etc.
It is possible to have two different passwords, one for the account and another for the sudo command.
You should ask to the Maintenance people....

How should I set password for a user I created using ssh?

I have 20 machines where I need to create a user and set his password. I can create the accounts and set the passwords using a for loop. The inside of the for loop is given as follows
ssh -t user1#$node_name 'sudo useradd user2'
ssh -t user1#$node_name 'sudo passwd user2'
However, this requires me to input the password for user1 first and then input the new password for user2. I tried it for 2 machines and it works. I however do not like the wasteful effort involved and am guessing there would me a more efficient way of doing so. Any ideas?
To remove the need to enter user1's password, you can mess with the sudo -A or -a options on $node_name to get authentication to happen automatically in some other way.
To remove the need to type user2's password, you can try something like this:
ssh -t user1#$node_name "sudo echo $newpass | useradd user2 --stdin"

Respond y(es) to psftp host key prompt

I am creating a script file programmatically and call psftp.exe as follows:
psftp user#hostname.com -pw password -b psftpscript.txt
but it prompts for user input
The server's host key is not cached in the registry. You have no
guarantee that the server is the computer you think it is. The
server's rsa2 key fingerprint is: [ssh-rsa 1024 somekey]
If you trust this
host, enter "y" to add the key to PuTTY's cache and carry on
connecting. If you want to carry on connecting just once, without
adding the key to the cache, enter "n". If you do not trust this host,
press Return to abandon the connection. Store key in cache? (y/n)
I need it to be completely prompt free, automatic.
I tried -batch parameter but it just abandons the connection
I had the same problem with running a unattended script in Windows Server 2008's 'sandbox' like environment. I ended up running the following which enters the y at the prompt for you:
echo y | psftp user#hostname.com -l username -pw password -b psftpscript.txt
Hope this helps!
Note: I only had to run the echo y once and removing it for the 2nd run didn't ask for the key to be cached anymore.
When you run it the first time, it will show you your key for the server.
Copy the key and then on your command line, specify your host key like this:
psftp example.com -hostkey 06:15:d4:3b:e4:e8:23:c0:d6:6d:45:47:7e:bd:8d:74 -l yourusername -pw yourpassword -batch
You can create a file as input containing just a y and carriage return then run
psftp user#hostname.com -pw password -b psftpscript.txt < filename.txt
Thanks to James from http://www.sqlservercentral.com/Forums/Topic281954-9-1.aspx for such a simple solution
This doesn't answer your question directly, but provides a possible workaround:
Launch a command prompt as the user who will be running your script and manually accept the certificate. Then upon future connections, you won't have the issue.
Given your need, beyond what has been stated, this may or may not work. I came to this question with the same problem and ended up resolving it using the approach I've just described.
In .Net, I found that the above method didn't work quite as expected. The trick was to use .Net's built-in input redirection - and not the < operator. Here's what the code looks like now:
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = "c:\\psftp.exe";
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardInput = true;
proc.StartInfo.Arguments = strIP + " -v -l " + strUsername + " -pw " + strPassword + " -b " + strBatchFilename;
proc.Start();
StreamWriter myStreamWriter = proc.StandardInput;
myStreamWriter.WriteLine("Y\n"); //override the public key question <---
myStreamWriter.Close();
proc.WaitForExit();
proc.Close();
I had the problem where I didn't have the permission to delete \ rename file over the remote server and the files contains time stamp.
So I needed to download files by name.
The psftp can't accept params (or any way I was aware of) and I couldn't dynamically change the file names according to the current date.
So, from the batch file which I'm calling the psftp commands I created the commands dynamically and with the file with the relevant time stamp.
I could copy only the today files which is better the then copy everything each time.
cd "C:\Files"
echo cd outbound > C:\SFTP\temp.txt
echo mget file_%date:~10,4%%date:~4,2%%date:~7,2%*.csv >> C:\SFTP\temp.txt
echo quit >> C:\SFTP\temp.txt
echo close >> C:\SFTP\temp.txt
C:\SFTP\psftp user#ftp.address.com -b C:\SFTP\temp.txt
close
exit
The "echo cd outbound > C:\SFTP\temp.txt" cleaned the old file and start writing the content of the new file.
The "echo mget file_%date:~10,4%%date:~4,2%%date:~7,2%.csv >> C:\SFTP\temp.txt" resulted in creating the the command: "mget file_20151008.csv " which downloads all files which starts with "file_20151008..." the next 2 rows just ended the action and the line "C:\SFTP\psftp user#ftp.address.com -b C:\SFTP\temp.txt" execute it.
as results temp.txt looks like this:
cd outbound
mget file_20151008*.csv
quit
close
I ended up adding the key to cache by entering 'y' to the prompt. I had to do it only once, and after that no more prompts, it works good.
I think it should also be noted that if you are intending to use psftp in an unattended manner that you MUST include the -batch option. This will ensure that psftp does not provide any interactive prompts.
In the event user input would be required, psftp would abort. (e.g. ask user to cache host key, ask for password, etc.)
This will ensure that your process doesn't 'hang' and allow your automation to alert someone that there is an issue.
I think there is a problem with your command line.
Usage: psftp [options] [user#]host
Try:
psftp -pw password -b psftpscript.txt user#hostname.com
None of the above suggestions worked for me, but I did figure out something that DID work for me.
I made 2 entries in my batch file for it to work.
The first entry causes a connection to cache in the registry.
The second entry will connect automatically because now the hostkey is cached in the registry.
echo y | psftp.exe username#hostname.com -pw password
psftp.exe username#hostname.com -pw password -v -be -batch -b psftp_upload_command.bat

how to ssh / su - by passing the password initially itself?

Anyone knows how to ssh / su - by passing the password initially itself?
Like:
ssh username#hostname -p [password]
pbrun su - unix_owner -p [password]
How can I achieve this?
It shouldn't popup for password or any RSA authentication like yes/no.
I think you will probably need a sudoers file to get stuff done in a su like manner without being prompted for a password.
I have never used ssh without a password prompt, but found this which suggests it can be done...
passing a password in clear text is not intended by ssh.
Try to learn about ssh key authentication (google would help), you won't need to type your password anymore.
ok, more detailed, try this:
on the remote machine
> mkdir -p ~/.ssh #if neccessary
> touch ~/.ssh/authorized_keys2
> chmod go-rwx $HOME/.ssh/authorized_keys2
on your local machine:
> ssh-keygen # if neccessary
> cat ~/.ssh/id_rsa.pub | ssh root#remotehost "cat >> .ssh/authorized_keys2 && chmod 0600 ~/.ssh/authorized_keys2"
A better approach would be using ssh keys, like other answers recommend, but if you really need it, you can use expect for that.
Just create a expect.file like this one:
#!/usr/bin/env expect
set username youruser
set pass yourpassword
set host yourhost
spawn ssh ${username}#${host}
expect -re "password:"
send "${pass}\r"
expect -re "$"
interact
and execute it:
expect expect.file
Can't do it. You're invoking the passwd program on the remote machine. If it had a way to change a password without prompting for the old one, ANYONE could change your password if they got onto your console. You'd still need to pass the password in over the ssh link
As for SSH, you could use RSA keys, and those won't prompt you for passwords.
As for SU, it would have to be hardcoded or you would have to create your own application to serve as a wrapper of sorts.
I don't think you can pass in password directly to the ssh command (It will be stored in your history otherwise). Why don't you use keys to skip the authentication prompt.

How to make ssh receive the password from stdin

How can you make SSH read the password from stdin, which it doesn't do by default?
based on this post you can do:
Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)
$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"#"your_host"
EOF
NOTE: To avoid ssh to try to ask on tty we use setsid
Create a script which returns your password (note echo "echo)
$ echo "echo your_ssh_password" > /path/to/script_returning_pass
Make them executable
$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass
try it
$ ./ssh_session
Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap
You can use sshpass which is for example in the offical debian repositories. Example:
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.
Distilling this answer leaves a simple and generic script:
#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$#"
Save it as pass, do a chmod +x pass and then use it like this:
$ echo mypass | pass ssh user#host ...
If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.
When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user#host's password:
An old post reviving...
I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:
Install ssh-askpass program (apt-get, yum ...)
Set the SSH_ASKPASS variable (export SSH_ASKPASS=/usr/bin/ssh-askpass)
From a terminal open a new ssh connection without an undefined TERMINAL variable (setsid ssh user#host)
This looks simple enough to be secure but did not check yet (just using in a local secure context).
Here we are.
FreeBSD mailing list recommends the expect library.
If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.
a better sshpass alternative is :
https://github.com/clarkwang/passh
I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.
I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.
It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.
http://www.linuxproblem.org/art_9.html