0

Basically the title. My friend provided me a script to batch change RHEL passwords via Powershell and PuTTY, but the new password I entered doesn't work when I try to log in. I think the issue is that it doesn't escape one of the special characters that's in the new password, but I can't figure out what the new password would have been.

The "new password" I used was similar to this: a1b2c3d"4e5f6g7

I attempted to replace the secure strings for regular strings, or use telnet instead of SSH with a packet capture to determine what exactly is being sent, but none of that has worked thus far.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
# Displays prompt
Write-Host "This will update the root password on the Linux Servers"

# Get the running directory
$rundirectory = Split-Path $MyInvocation.MyCommand.Path
#$rundirectory = Split-Path $rundirectory

# Get old root credential 
$oldrootPassword = Read-Host "Enter old root password" -AsSecureString
$oldrootCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "root", $oldrootPassword

# Get new root credential
$newrootPassword = Read-Host "Enter new root password" -AsSecureString
$newrootCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "root", $newrootPassword
$newrootPassword2 = Read-Host "Retype new root password" -AsSecureString
$newrootCredential2 = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "root", $newrootPassword2

# $gc = get-content \linuxservers.txt
if ($newrootCredential.GetNetworkCredential().Password -ceq $newrootCredential2.GetNetworkCredential().Password) {
    $templogfile = $rundirectory + "\Temp\log.txt"
    $tempchfile = $rundirectory + "\Temp\pwd_changes.txt"
    $log = $rundirectory + "\Logs\RHEL\Password_Changes_$(Get-Date -f MMddyyyy).log"
    $newrootPassword = $newrootCredential.GetNetworkCredential().Password
    $serverlist = $rundirectory + "\linuxservers.txt"

    Get-Content $serverlist | %{
        # Connects to host and stores SSH key in case it does not have one already
        echo y | plink.exe -ssh -pw $oldrootCredential.GetNetworkCredential().Password root@$_ exit
        # Opens a session to the server to use for disaster recovery
        putty.exe -ssh -pw $oldrootCredential.GetNetworkCredential().Password root@$_
        # Adds delay to complete login before password is changed
        Start-Sleep -Milliseconds 900
        # Command sent to host to change password that is then logged
        echo y | plink.exe -ssh -v -pw $oldrootCredential.GetNetworkCredential().Password root@$_ "echo root:'$newrootPassword' | chpasswd" 2>&1 >> $templogfile
        # Parses file and stores output in variable
        $outpt = cat $templogfile | Select-String "Session sent command exit status"
        # Adds server name and variable to changes file
        echo `n $_.ToUpper() `n$outpt `n "------------------------------------" >> $tempchfile
        # Removes the log file to be used again in loop
        Remove-Item $templogfile
        # Opens second PuTTY session to make sure password works
        putty.exe -ssh -pw $newrootCredential.GetNetworkCredential().Password root@$_
    }
} else {
    $writehost = "ERROR: New root passwords do not match. Exiting..."
}

if ($writehost -ceq "ERROR: New root passwords do not match. Exiting...") {
    Write-Host "ERROR: New root passwords do not match. Exiting..."
} else {
    # Places contents of results file in variable
    $pwresults = cat $tempchfile
    # Adds comment at top of file and creates new results file
    echo "Investigate all servers that do not have a command exit status of 0" $pwresults >> $log
    # Removes the changes file
    Remove-Item $tempchfile
    # Opens results file for administrator to investigate
    Invoke-Item $log
}

I expected the new password to be a1b2c3d"4e5f6g7; however, this does not work upon login.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
portland_admin
  • 1
  • 1
  • 1
    As a side note: what's the point of using secure strings when you need the passwords in clear text anyway? – Ansgar Wiechers Jul 14 '19 at 23:18
  • AFAICS the code should do what you want, unless there's a quoting issue with the command you're running via SSH. Please try setting a password without quotes in it to check that. – Ansgar Wiechers Jul 14 '19 at 23:29
  • Looks like it works without the quotes, but it won't work with the quotes. – portland_admin Jul 14 '19 at 23:39
  • Looks like it works without the quotes, but it won't work with the quotes. If I try a1b2c3d4e5f6g7 it works fine and sets that as the password. If I try a1b2c3d"4e5f6g7, it changes the password to something I don't know. – portland_admin Jul 14 '19 at 23:45
  • Sending a doubleuote to an external command has always been tricky for powershell. This doesn't even work for me in osx: `/bin/ls 'hi"there' ` See https://stackoverflow.com/questions/6714165/powershell-stripping-double-quotes-from-command-line-arguments – js2010 Jul 15 '19 at 00:51
  • Doubllequotes might only go through backslashed. `/bin/echo 'hi\"there'` – js2010 Jul 15 '19 at 01:46

1 Answers1

1

Try this. Backslash the doublequote. You might have changed it to the password without the doublequote. You need some way to undo these things if they don't work.

$newrootPassword = $newrootpassword -replace '"','\"'
js2010
  • 23,033
  • 6
  • 64
  • 66