Late last year I sat down and rewrote my password changer script. Now PWChanger is 89 lines of Expect, with comments, and is much easier to maintain than it's Perl predecessor. This time around, I didn't try to get fancy with regular expressions, which worked but were difficult to maintain. Instead, I have Expect matching multiple (simple) complete words / phrases. These multiple matches are much easier to maintain and update when necessary.

PWChanger does rely on and use PWVault for password storage, which means that it 1) can extract the old password and new password out of my vault and 2) update the password for the target system after confirming that it was successfully changed.

Rather than the typical reactive process of changing passwords, PWChanger is written with the mentality to proactively change passwords before they expire. Thanks to the method that PWChanger uses, I don't have to worry about recognizing prompts on remote systems or other such oddities. To do this, PWChanger simply executes the "passwd" command via ssh remote command execution. Presuming that the account to have it's password changed is in good standing, PWChanger only has to work with the prompts of the passwd command, and not match anything else like the command prompt, or other ssh dialogs, thus reducing the number of things that have to be matched and the number of responses that have to be sent. Further, it is much easier to deal with situations that would possibly cause an infinite loop. All that needs to be done is to have PWChanger recognize the prompts / error messages that happen in an infinite loop condition and break out of the ssh connection.

Note: PWChanger will test the new password on the remote system before it updates the password vault to verify that the password was successfully changed. If PWChanger is unable to login to the remote system using the new password, it will print an error which contains both the old and new passwords so that you can try changing them yourself.


See also:
Changing passwords in mass