Once upon a time I was hired to help change the password on several hundred remote embedded devices (not servers). The same user account and password was used on all devices. The devices were old and did not support SSH key pairs.
I wrote two shell scripts that worked in tandem using
xdotool. The owner wanted to use the
expect command, but the device interface was text based and did not support a true shell environment. Strictly menu driven.
Because the devices were old and designed with 1990s thinking, there was no way to walk through the steps on the remote devices other than with
xdotool. To avoid latency issues each simulated mouse action paused using the
To avoid mistakes as much as practical there was considerable error checking in the scripts.
The user was prompted for the current and new passwords only once per session (using
read -er -p). The passwords were not recorded anywhere. Once provided and confirmed the passwords were stored in memory as a variable within the scripts.
From that point forward the user was prompted to access each device by IP address. The IP addresses were stored in a comma separated value (CSV) text file from which the shell scripts accessed each device. The scripts used
sshpass to access each remote device. On the surface the operation seemed clunky yet the entire process proceeded without hitch. The script executed the necessary actions to change the password on each device.
There was still manual user intervention required to reply to script prompts and to test the new password on each selected device. Once the old and new passwords were in a variable the job thereafter was grunt work responding to those prompts.
Often I think about this episode when I see people parrot cookie cut replies about accessing infrastructure devices or forcing owners to update “obsolete” equipment. Often such answers are irrelevant in the real world.