自动批量修改linux用户密码

通常会有多台服务器需要同时修改密码，此时可不必一台一台去操作，可以借用expect工具实现批量密码修改工作。涉及到四个文件，ip地址列表文件（iplist.txt）,远程密码修改脚本(password.sh),复制时调用密码脚本scp.exp,密码修改主程序(chpasswd.sh)，需将四个文件放置在/root目录下，如果放在其它目录，需修改脚本中对应的路径

在执行脚本的机器上安装expect,使用rpm包安装时需要依赖tcl包，也可使用yum安装，使用mkpasswd生成密码，一次生成一次，可多次运行。

#mkpasswd -l 16 -s 3     #-l指定密码为16位，-s指定特殊字符为3
*Vdmz{u(2uF8jvnz

2.本地生成公钥和私钥

[root@localhost~]# ssh-keygen -t rsa
Generatingpublic/private rsa key pair.
Enterfile in which to save the key (/root/.ssh/id_rsa):
Enterpassphrase (empty for no passphrase):
Entersame passphrase again:
Youridentification has been saved in /root/.ssh/id_rsa.
Yourpublic key has been saved in /root/.ssh/id_rsa.pub.
The keyfingerprint is:
04:60:67:87:bb:5f:bc:2a:27:14:eb:90:c5:9c:54:46root@localhost.localdomain
The key'srandomart image is:
+--[ RSA2048]----+
|    o.++E       |
|   . oo+        |
|     + o.       |
|      B.        |
|     o +S.      |
|    o +  o      |
|     + . . .    |
|      + o .     |
|       +..      |
+-----------------+

3.定义修改密码的脚本password.sh,这个脚本是需要在远程机器上执行的，设置权限为700，此脚本中可定义一次性修改多个用户的密码，这里设置了root和guest，这里的密码是由密码生成工具mkpasswd生成的，需要记住此密码，脚本执行成功后，远程机器上即会自动修改成此密码。

#!/bin/bash

#detectthe current user is root or not
if [ $UID-ne 0 ];then
echo "only root can run thisscript"
exit 3
fi

echo"*Vdmz{u(2uF8jvnz" | passwd --stdin root
if `id -uguest >/dev/null 2>&1`;then
echo "guest is already exist"
echo "wifxg4hgla9ID@:?" |passwd --stdin guest
echo "old guest's passwordchanged successful"
else
useradd guest
echo "user guest addedsuccessful"
echo "wifxg4hgla9ID@:?" |passwd --stdin guest
echo "guest's password changedsucessful"
fi

4.定义要修改的机器的列表iplist.txt,每行一个IP

192.168.18.131
192.168.18.132

5.自动输入密码并自动scp复制的脚本scp.exp,调用此脚本时，需指定源文件和目标文件两个参数。此脚本中的redhat为要修改机器的root原始密码，可在此处修改，要修改的多台机器原来必须是同样的root密码，否则无法完成一次性批量修改。

#!/usr/bin/expect
settimeout 20

if {[llength $argv] < 2} {
puts "Usage:"
puts "$argv0 local_fileremote_path"
exit 1
}

setlocal_file [lindex $argv 0]
setremote_path [lindex $argv 1]
setpasswd redhat

setpasswderror 0

spawn scp$local_file $remote_path

expect {
"*assword:*" {
if { $passwderror == 1 } {
puts "passwd is error"
exit 2
}
set timeout 1000
set passwderror 1
send "$passwd\r"
exp_continue
}
"*es/no)?*" {
send "yes\r"
exp_continue
}
timeout {
puts "connect is timeout"
exit 3
}
}

6.提供密码修改主程序chpass.sh
修改密码主程序chpass.sh，先将公钥id_rsa.pub和修改密码脚本password.sh上传至目标服务器上，执行修改密码脚本password.sh,执行完成后，删除password.sh

#!/bin/bash

#changepassword for production system
#added bysunny 20160112
#mail:francis198@163.com

#detectthe current user is root or not
if [ $UID-ne 0 ];then
echo "only root can run thisscript"
exit 3
fi
#define aip address list
IPLIST=/root/iplist.txt

for i in`cat $IPLIST`
do
/root/scp.exp /root/.ssh/id_rsa.pubroot@$i:/root/.ssh/authorized_keys
/root/scp.exp /root/password.shroot@$i:/root/password.sh
ssh $i '/root/password.sh && rm-f /root/password.sh'

done

7.执行修改密码脚本完成密码修改
执行过程中开启日志log功能，后续查看实施日志，对比修改状态

# ./chpass.sh
spawn scp/root/.ssh/id_rsa.pub root@192.168.18.131:/root/.ssh/authorized_keys
Theauthenticity of host '192.168.18.131 (192.168.18.131)' can't be established.
RSA keyfingerprint is d6:7b:b0:d8:2b:5f:90:9a:b4:97:c9:1f:dc:f7:44:8b.
Are yousure you want to continue connecting (yes/no)? yes
Warning:Permanently added '192.168.18.131' (RSA) to the list of known hosts.
root@192.168.18.131'spassword:
id_rsa.pub                                                          100%  396    0.4KB/s   00:00
spawn scp/root/password.sh root@192.168.18.131:/root/password.sh
password.sh                                                        100%  426     0.4KB/s  00:00
Changingpassword for user root.
passwd:all authentication tokens updated successfully.
guest isalready exist
Changingpassword for user guest.
passwd:all authentication tokens updated successfully.
oldguest's password changed successful

8.检查日志，过滤后查看密码修改状况