From b4c16006a22f07c02770e7c5fc85e74b08e6e349 Mon Sep 17 00:00:00 2001 From: Mark Gurevich Date: Tue, 17 Dec 2019 11:21:45 -0500 Subject: [PATCH] BMC password change script --- .../share/xcat/scripts/BMC_change_password.sh | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100755 xCAT-server/share/xcat/scripts/BMC_change_password.sh diff --git a/xCAT-server/share/xcat/scripts/BMC_change_password.sh b/xCAT-server/share/xcat/scripts/BMC_change_password.sh new file mode 100755 index 000000000..d010cb46a --- /dev/null +++ b/xCAT-server/share/xcat/scripts/BMC_change_password.sh @@ -0,0 +1,94 @@ +#!/bin/sh + +########################################################################## +# This script does the following: +# - use nmap for the range given (ex: 172.11.139.3-5) to generate list of IP address +# - try to connect using REST api +# with root/0penBmc (Witherspoon) or +# ADMIN/ADMIN (Boston) to check if this is OpenBMC system +# - check the output of the REST login to see if password needs to be changed +# - use REST call to change to user provided password +# - report error is password does not meet PAM validation rules +# +# Usage: $0 -r -n +########################################################################## + + +if [ $# -le 3 ]; then + echo "Usage:" + echo " $0 -r -n " + exit +fi + +while getopts n:r:h: option +do + case "${option}" + in + r) RANGE=${OPTARG};; + n) NEW=${OPTARG};; + esac +done + +if ! [ -x "$(command -v nmap)" ]; then + echo 'Error: nmap is not installed.' >&2 + exit 1 +fi + +#Generate the list of IP addresses in the range that user provided +nmap -n -sn $RANGE -oG - | awk '/Up$/{print $2}' > /tmp/$$.ip.list + +WITHERSPOON_DEFAULT_USER="root" +WITHERSPOON_DEFAULT_PW="0penBmc" + +BOSTON_DEFAULT_USER="ADMIN" +BOSTON_DEFAULT_PW="ADMIN" + +CHANGE_PW_REQUIRED="The password provided for this account must be changed before access is granted" +PW_PAM_VALIDATION="password value failed PAM validation checks" +UNAUTHORIZED="Unauthorized" + +for name in `cat /tmp/$$.ip.list` +do + + ## Look for Witherspoon first + SYSTEM_TYPE="Witherspoon" + PasswordChangeNeeded=`curl -sD - --data '{"UserName":"'"$WITHERSPOON_DEFAULT_USER"'","Password":"'"$WITHERSPOON_DEFAULT_PW"'"}' -k -X POST https://$name/redfish/v1/SessionService/Sessions` + + if [[ "$PasswordChangeNeeded" =~ "$CHANGE_PW_REQUIRED" ]]; then + echo "$name: Password change needed for $SYSTEM_TYPE system" + PasswordChanged=`curl -u $WITHERSPOON_DEFAULT_USER:$WITHERSPOON_DEFAULT_PW --data '{"Password":"'"$NEW"'"}' -k -X PATCH https://$name/redfish/v1/AccountService/Accounts/$WITHERSPOON_DEFAULT_USER 2> /dev/null` + if [[ "$PasswordChanged" =~ "$PW_PAM_VALIDATION" ]]; then + echo "$name: Can not change password for $SYSTEM_TYPE system - $PW_PAM_VALIDATION" + elif [[ -z "$PasswordChanged" ]]; then + # If no output, password change was successful + echo "$name: Password for $SYSTEM_TYPE system changed" + else + # Some unexpected output changing the password - report error and show output + echo "$name: Unable to change password for $SYSTEM_TYPE system - $PasswordChanged" + fi + + continue + fi + + ## Look for Boston next + SYSTEM_TYPE="Boston" + PasswordChangeNeeded=`curl -sD - --data '{"UserName":"'"$BOSTON_DEFAULT_USER"'","Password":"'"$BOSTON_DEFAULT_PW"'"}' -k -X POST https://$name/redfish/v1/SessionService/Sessions` + if [[ "$PasswordChangeNeeded" =~ "$CHANGE_PW_REQUIRED" ]]; then + echo "$name: Password change needed for $SYSTEM_TYPE system" + PasswordChanged=`curl -u $BOSTON_DEFAULT_USER:$BOSTON_DEFAULT_PW --data '{"Password":"'"$NEW"'"}' -k -X PATCH https://$name/redfish/v1/AccountService/Accounts/2 2> /dev/null` + if [[ "$PasswordChanged" =~ "$PW_PAM_VALIDATION" ]]; then + echo "$name: Can not change password for $SYSTEM_TYPE system - $PW_PAM_VALIDATION" + elif [[ -z "$PasswordChanged" ]]; then + # If no output, password change was successful + echo "$name: Password for $SYSTEM_TYPE system changed" + else + # Some unexpected output changing the password - report error and show output + echo "$name: Unable to change password for $SYSTEM_TYPE system - $PasswordChanged" + fi + + continue + fi + +done + +rm /tmp/$$.ip.list