change user password using shell_exec function - shell-exec

I have created a new user and password. Now I need to change the username and password from the web page. I am able to change the username using usermod.
But I am not able to change to password using the passwd command.
Here the code:
shell_exec('(echo "'.$FTPpassword.'";sleep 1; echo "'.$FTPpassword.'") | passwd $FTPUserName');
Instead of $FTPUserName , if I send username test as :
shell_exec('(echo "'.$FTPpassword.'";sleep 1; echo "'.$FTPpassword.'") | passwd test');
it is updating password of the user "test".
Anyone know how to change the password of a user using shell_exec?
Regards,
Sowmya

Use --stdin flag. This option is used to indicate that passwd should read the new password from standard input, which can be a pipe.
shell_exec("echo $FTPpassword | passwd $FTPUserName --stdin");

Related

How to encrypt and decrypt user password for oracle databases in bash script

Question: I want to create user for oracle databases. For that i have created shell script, it will ask to enter the username and password. then these variables will be stored in SQL query to get output. Please find the below commands:
**Here password is in plain text. Please tell how to encrypt and decrypt the password which is giving in input form. ? **
**echo -n "Enter user to be created"
read USERNAME
echo -n "Enter new password"
read PASSWORD
output=`sqlplus -s '/as sysdba' <<EOF
CREATE USER "$USERNAME" IDENTIFIED BY "$PASSWORD"
DEFAULT TABLESPACE "$DETAB"
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
EOF`**
Your use of shell variables in general is a problem, from a security perspective. The instant you store the password in a shell variable, it can be read by other users on the system. A better approach would be to prompt the user for input as part of the SQL script, rather than in the shell:
create_user.sql:
-- get username
accept username char prompt 'Enter user to be created > ';
-- get password and hide value from screen
accept password char prompt 'Enter password > ' HIDE;
-- get default tablespace
accept detab char prompt 'Enter default tablespace > ';
set echo off;
CREATE USER &&username IDENTIFIED BY &&password
DEFAULT TABLESPACE &&detab
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
Then run the script like this:
sqlplus / as sysdba #create_user.sql
The script can now run without exposing the password value to the shell, or being echoed to the screen.
I've written previously on these types of issues. See here for more info: https://pmdba.wordpress.com/2020/01/13/how-to-hide-oracle-passwords-in-a-script/
As suggested in the comments, here the revised script
echo -n "Enter user to be created"
read USERNAME
echo -n "Enter new password"
read PASSWORD
output=`sqlplus -s '/nolog' >/dev/null 2>/dev/null <<EOF
WHENEVER SQLERROR EXIT SQL.SQLCODE
connect / as sysdba
CREATE USER "$USERNAME" IDENTIFIED BY "$PASSWORD"
DEFAULT TABLESPACE "$DETAB"
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
exit;
EOF`
success=`echo $? `
unset PASSWORD
echo $USERNAME
echo $success
echo $output
echo $PASSWORD
if $success returns 0 everything is ok. if not there is an error.
But $output and $PASSWORD are empty at the end of the execution
For debug purpose, do not redirect to /dev/null but you will see the password.
Passwords are stored encrypted inside Oracle as already said in the comments by other people helping you
Other suggestion
I think that the better solution is to force the User to Change the Password at First/Next Login
e.g Create the user with :
the option by a password expire
a dummy password and password expire option
expire the password using the command alter user $USERNAME password expire;.
By doing this Oracle will ask to the user to update his password at the first or next connection. The password issue will be managed by sqlplus directly (or by other tools).
You can add in your script
conn $USENAME/<dummypwd> and sqlplus will prompt for the new password

SSH user response prompt

We currently have several users that are using the admin user when logging into a server via SSH. They all have their own users but unfortunately they still occasionally use the admin one. We can lock this down of course and take action to make sure that user is never used, but I'm looking to see if there is a way to force each login to enter a reason why they are using that user, before they can login and access the server whenever they use the admin user.
This way we can have an easy way to compare access log files with employee names and the reason why they are using that user.
Any thoughts?
Here's what I would do.
Register everyone's ssh public key into admin user's authorized_keys. In each entry, set the environment EMPLOYEE to the employeename. This will require that PermitUserEnviroment be set to yes in /etc/ssh/sshd_config. A sample entry should look like below.
environment="EMPLOYEE=employee1" ssh-rsa AAAAB3NzaC1y.....EU88ovYKg4GfclWGCFYTuw8==
Now that we have an environment variable named EMPLOYEE, we can write a simple script to ask for the reason.
Create a file /etc/profile.d/reason.sh. The file does not need to be executable as it will be sourced.
if [[ $(whoami) = "admin" ]]; then
read -p "Please specify the reason for logging in as $USER user: " reason
if [ -z "$reason" ]; then
logout
fi
fi
Now you have $EMPLOYEE and $reason to log.
Here's a thought
#!/bin/bash
# if the user tries Ctrl+C to avoid this check
trap INT no_shell_for_you
no_shell_for_you() { exec /bin/false; }
read -p "Your username please: " username
if getent password "$username" >/dev/null 2>&1; then
echo "Welcome, $username"
# log $username somewhere
exec /bin/bash -l
else
no_shell_for_you
fi
Save that as ~admin_user/bin/get_real_user.sh
Add /full/path/to/admin_user/bin/get_real_user.sh to /etc/shells
Do sudo chsh -s /full/path/to/admin_user/bin/get_real_user.sh admin_user
This is untested. Test thoroughly before step 3.

how to pass a user password ,stored in config file to passwd command

I am trying to create linux users using a script . The username and corresponding password are stored in a config file.
config file is given below
username="user1"
password="passxxx"
using a shell script i am creating linux users with username and password provided in config file.
if [ -n "$username" ] then
password="$line"
sudo adduser $username
sudo passwd $username
Here i have to give the password in the config file. usually we have to type the required password twice to update the password information . Is there any way to update the password without typing ( use the password provided in config file) .
Use chpasswd instead of passwd to set passwords in batch mode.
Example:
sudo chpasswd <<<"$username:$password"
Or, it you're using other shell (not bash of version >=3.0):
echo "$username:$password" | sudo chpasswd

Force user to change password at next logon with Puppet

Can someone explain to me how you would force a user to change their password upon first login using Puppet and hiera/yaml?
Correct me if I'm wrong but I don't believe the user resource caters for such a thing...
The quickest way would be to declare a new exec resource with a command similar to the following:
passwd -e LOGIN
passwd -e expires the current password for the given LOGIN, so the user will be asked to change it during the next login.

sudo as another user with password from stdin

I am attempting to use sudo check to see if the password for the user is set to a standard password.
I have read that you can use the -S option to receive input from stdin
-S The -S (stdin) option causes sudo to read the password from
the standard input instead of the terminal device.
but when i run echo 'password' | sudo -S -u user command
it returns:
Password:
Sorry, try again.
Password:
sudo: 1 incorrect password attempt
Could somebody tell me what is off with this script?
Note: I have tried other methods to check the password but I am having a hard time finding a solution because I do not have: root access, a c compiler, or the availability to install programs like expect
Does your password end in a newline? Try:
printf password
or
echo -n password
Sudo is not expecting the password of the specified user, rather the password of the user calling "sudo":
http://en.wikipedia.org/wiki/Sudo

Resources