Recipe 8.18. Changing Masses of Passwords

8.18.1 Problem

As part of your routine security policy, you would like to periodically be able to easily change batches of passwords. Or your network may have been compromised, so you want to change all the passwords yourself and not leave it up to your users.

8.18.2 Solution

Use the mass_passwd script in Recipe 8.17. It lets you select batches of users in three different ways:

# mass_passwd 


username1

 


username2

...

# mass_passwd -g 


groupname

 


groupname

...

# mass_passwd -a

The first method uses a simple space-delimited list of logins.

The second method changes the passwords of users belonging to the named groups.

The third method changes every password in /etc/passwd.

Then mass_passwd generates a separate file for each user, containing their new login names and passwords and whatever instructions or policies you choose to include. This is designed to make it easy to print a separate instruction sheet for each user.

8.18.3 Discussion

You may do a dry run with the -n flag:

# ./mass_passwd -v -g -n usergroup

generating password for dawns.....teivuphu

generating password for nikitah.....kohfahsh

2 password(s) reset - see /root/mass_passwds/mass_passwd.log

No passwords are changed; this just lets you test-drive your options before committing to any changes.

8.18.4 See Also

• Recipe 8.17