Written by J. Moellenkamp
on 
Reading time: 2 minutes
Solaris

Changing passwords

This is a blog entry from the category “Just because you can do it this way, you should not nescessarily do it this way” albeit the biggest problem with using scripts to change passwords wasn’t done. What ever you do, never specify the password on the command line. Other users could simply look in the process list to see this password. It could be in diagnostic tools ripping the the process table from time to time. it could be in system management tools. Or to shorten it: You don’t know where the command line with the password ends up.

With passwd you can directly set a hash as a password for quite a while. The -p option is used for this. However how do you get the hashed password?

Since Solaris 11.3 there is a tool included in Solaris delivering exactly this. It’s called pwhash. So when you want to do script based mass changes of passwords you can do it like i will show you in an example soon.

I’m aware that i’m using an example that using the command line to create the file. This is the very thing i warned you before, you should use an editor or a command generating a random string to put the password into passwordfile, something like that that doesn’t put the password into the commandline. Ensure that the password is only accessible by the user that will execute the commands. I just used the command line here in order to simplify the example:

root@solaris:~# echo "justanothernewpassword" > passwdfile
root@solaris:~# chmod 600 passwdfile
root@solaris:~# passwd -p `cat passwdfile  | pwhash -s '$5$narfsalt'` junior
passwd: password information changed for junior

Of course you could and should run the construct without hardcoding the salt. The example was chosen this to demonstrate that quotes will work in this command. Without it the defaults will kick in:

root@solaris:~# passwd -p `cat passwdfile  | pwhash` junior
root@solaris:~# grep "junior" /etc/shadow
junior:$5$rounds=10000$6DI0e.11$zpb8P7OOLp2IeHnNRyxqzWwUUKaq14BFDzi/Ve2xDLB:18726::::::

Let’s try this:

% ssh -p 10022 junior@127.0.0.1
Password: justanothernewpassword
Last login: Fri Apr  9 08:21:45 2021 from 10.0.2.2

Of course the cat passswdfile could be some script that auto generates a password and prints it to a locally attached printer ( … and then put gasoline on the file and burn it before deleting it) for example if you have the need to change all the passwords and give the new password in an envelope to each user.