Changing passwords in mass

As part of my day job I have to routinely change my password on more than 600 systems. Seeing as how I'm a unix administrator and thus inherently lazy (read: averse to doing work that I can make the computer do for me), I find changing the passwords 1) time consuming, 2) error prone, and 3) tediously annoying. So, like any seasoned unix administrator, I wrote a script to do it for me. Except that still wasn't good enough for me, so I optimized the process. Now my workstation will change and verify 400 to 500 passwords for me in about 15 minutes. Best of all, this process runs in the background unattended so I can focus on doing other things, like updating dotFiles.

As you might have guessed, I use both PWVault to store my passwords and PWChanger to change passwords. However, they are just the grunt workers of the process. The real magic is what I have them do and how I have them do it. First, I use the following find command to find passwords that 1) have been changed more than 14 days ago but less than 60 days ago.

find ~/.pwvault/servers/ -mtime +14 -mtime -60 -name '*.gpg'

Then I use the following sed command to clean up the output of the above command to get just the host names, not the leading path or the trailing extension. Note the use of "." in place of the forward slashes as it's easier than escaping them, which is unnecessary.

sed -e 's/.home.tgtaylor..pwvault.servers.\(.*\).gpg/\1/' | sort

Of course I run the list of servers through sort to satisfy my CDO.

After that is when the magic starts. I use "xargs" to transform the multi-line listing in to a single line of space delimited host names. Then I feed that string in to parallel which based on parameters will execute 20 separate sub-processes at the same time until the entire string of host names has been processed. $MAGIC++ Parallel then calls an iconized (minimized) xterm which calls pwchanger to do the dirty work.

xargs parallel -i -j 20 xterm -iconic -T {} -e pwchanger {} --


  1. The process by which parallel spawns and manages sub-processes which change passwords for individual systems.
  2. The use of xterm to provide a TTY to each pwchanger process to appease passwd on the remote systems.

So, the entire command that I run every couple of weeks is as follows:

find ~/.pwvault/servers/ -mtime +14 -mtime -60 -name '*.gpg' | sed -e 's/.home.tgtaylor..pwvault.servers.\(.*\).gpg/\1/' | sort | xargs parallel -i -j 20 xterm -iconic -T {} -e pwchanger {} --

I've been using this process for a few months now with wonderful success. So, hopefully you will find it equally as useful.

See also: