Last active
March 1, 2016 07:28
-
-
Save adrolter/b13c714e4a31c3f97b91 to your computer and use it in GitHub Desktop.
Randomize the RancherOS ISO password ASAP after SSHd starts.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/expect -f | |
| ### BEGIN CONFIGURATION ####################################################### | |
| set VERBOSITY 1 | |
| set PASSWORD_LENGTH 40 | |
| ### END CONFIGURATION ######################################################### | |
| exp_internal 0 | |
| log_user 0 | |
| if {$VERBOSITY >= 4} {exp_internal 1} | |
| if {$VERBOSITY >= 3} {log_user 1} | |
| proc usage {} { | |
| puts "usage: ./chrosisopw.exp host.domain.xyz" | |
| } | |
| proc spawn_ssh {} { | |
| if {[info exists ::spawn_id]} {close -i $::spawn_id; wait -i $::spawn_id} | |
| set ::timeout 1 | |
| spawn ssh -2tv -c {chacha20-poly1305@openssh.com} \ | |
| -o {UserKnownHostsFile=/dev/null} -o {HashKnownHosts=no} \ | |
| -o {CheckHostIP=no} -o {StrictHostKeyChecking=no} \ | |
| -o {HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519} \ | |
| -o {KexAlgorithms=curve25519-sha256@libssh.org} \ | |
| -o {IdentitiesOnly=yes} -o {IdentityFile=/dev/null} \ | |
| -o {PreferredAuthentications=password} -o {PubkeyAuthentication=no} \ | |
| rancher@$::host | |
| set ::spawn_id $spawn_id | |
| } | |
| if {![llength $argv]} {usage; exit 1} | |
| set host [lindex $argv 0] | |
| set hostKeyInfo {} | |
| # Establish the SSH connection | |
| puts -nonewline "Connecting to “$host”."; flush stdout | |
| spawn_ssh | |
| # Generate a new password while we have a moment | |
| set newPass [exec sh -c "tr -dc '\[:graph:]' < /dev/urandom | head -c $PASSWORD_LENGTH"] | |
| expect { | |
| {debug1: Server host key: *} { | |
| set hostKeyInfo $expect_out(0,string) | |
| exp_continue | |
| } | |
| {debug1: Connection established.} { | |
| puts {..done.} | |
| } | |
| # Retry connection if timeout occurred | |
| timeout { | |
| puts -nonewline {.}; flush stdout | |
| spawn_ssh; exp_continue | |
| } | |
| # Ignore other output | |
| default {exp_continue} | |
| } | |
| # Connection successful, attempt SSH authentication | |
| set timeout 10 | |
| set startTimeMicrosecs [clock microseconds] | |
| expect { | |
| {rancher@* password:} { | |
| send "rancher\r" | |
| expect { | |
| {debug1: Authentication succeeded (password).} { | |
| puts {Authentication successful.} | |
| } | |
| {Permission denied*} { | |
| puts "\n ☠ WARNING ☠ -- PERMISSION DENIED -- ☠ WARNING ☠" | |
| puts " | |
| IF YOU DID NOT CHANGE THE “rancher” PASSWORD ON “$host”, | |
| AN IMMEDIATE (FORCEFUL) SHUTDOWN OF “$host” IS STRONGLY | |
| RECOMMENDED! | |
| " | |
| exit 154 | |
| } | |
| default {exp_continue} | |
| } | |
| } | |
| # Host closed the connection ??? | |
| eof {error {Unexpected EOF while waiting for password prompt}} | |
| # Ignore other output | |
| default {exp_continue} | |
| } | |
| # Change rancher user password | |
| send "sudo passwd rancher\r" | |
| expect {Changing password for rancher} | |
| expect {New password: } {send "$newPass\r"} | |
| expect {Retype password: } {send "$newPass\r"} | |
| expect {Password for rancher changed} { | |
| set elapsedMillisecs [expr {([clock microseconds]-$startTimeMicrosecs)/1000}] | |
| puts " | |
| New password for “rancher@$host” | |
| [string repeat {-} $PASSWORD_LENGTH] | |
| $newPass | |
| [string repeat {-} $PASSWORD_LENGTH] | |
| " | |
| if {$VERBOSITY >= 2} { | |
| puts "Completed password change in ~${elapsedMillisecs}ms (since SSHd accepted the connection)." | |
| } | |
| } | |
| send "exit\r" | |
| expect * | |
| expect eof |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment