一、脚本

#!/bin/bash
<<bak
old_pass.txt 文件示例
192.168.1.2 root password 22
192.168.1.3 root password 22
bak

[ -f /etc/init.d/functions ] && . /etc/init.d/functions
OLD_INFO=old_pass.txt
NEW_INFO=new_pass.txt
# yum install -y sshpass
for IP in $(awk '/^[^#]/{print $1}' $OLD_INFO); do
    USER=$(awk -v I=$IP 'I==$1{print $2}' $OLD_INFO)
    PASS=$(awk -v I=$IP 'I==$1{print $3}' $OLD_INFO)
    PORT=$(awk -v I=$IP 'I==$1{print $4}' $OLD_INFO)
    NEW_PASS=$(openssl rand -base64 8)
    #NEW_PASS=1
    sshpass -p "$PASS" ssh -p $PORT $USER@$IP -o StrictHostKeyChecking=no "echo $NEW_PASS |passwd --stdin $USER" && \
    (
    echo "$IP $USER $NEW_PASS $PORT [`date '+%F %T'`]" >> $NEW_INFO && \
    action "配置成功 $USER $IP $NEW_PASS" /bin/true
    ) || \
    action "配置失败 $USER $IP $PASS" /bin/false
done

二、脚本说明

多行注释：
<<bak
bak

判断action工具的函数包是否存在，存在则启用：
[ -f /etc/init.d/functions ] && . /etc/init.d/functions

awk参数：
-v var=value 赋值一个用户定义变量，将外部变量传递给awk

awk中，I==$1的含义：
awk ‘BEGIN{ print “start” } pattern{ commands } END{ print “end” }’ file
关系表达式：I==$1

sshpass命令：
        sshpass 是一个简单、轻量级的命令行工具，通过它我们能够向命令提示符本身提供密码（非交互式密码验证），这样就可以通过 cron 调度器执行自动化的 shell 脚本进行备份。
        ssh 直接使用 TTY 访问，以确保密码是用户键盘输入的。 sshpass 在专门的 tty 中运行 ssh，以误导 ssh 相信它是从用户接收到的密码。
sshpass -e scp -P 8122 usernaem@ip -o StrictHostKeychecking=no
-o StrictHostKeychecking=no选项来忽略key检查信息
防止在屏幕上显示密码，可以使用 -e 参数，并将密码作为SSHPASS环境变量的值输入

action命令：

[root@kub-k8s-master srv]#  action "配置成功" /bin/true
配置成功                                                   [  OK  ]

openssl 命令是强大的安全套接字层密码库:

语法格式：

openssl command [ command_opts ] [ command_args ]

常用command:

version    用于查看版本信息

enc        用于加解密

ciphers    列出加密套件

genrsa    用于生成私钥

rsa        RSA密钥管理(例如:从私钥中提取公钥)

req        生成证书签名请求(CSR)

crl        证书吊销列表(CRL)管理

ca         CA管理(例如对证书进行签名)

dgst      生成信息摘要

rsautl    用于完成RSA签名、验证、加密和解密功能

passwd    生成散列密码

rand      生成伪随机数

speed      用于测试加解密速度                    

s_client  通用的SSL/TLS客户端测试工具

X509       X.509证书管理

verify      X.509证书验证

pkcs7       PKCS#7协议数据管理

args:
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file:file:...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (see openssl dgst -h for list)
 -config file   request template file.
 -subj arg      set or modify request subject
 -multivalue-rdn enable support for multivalued RDNs
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config file)
 -reqexts ..    specify request extension section (override value in config file)
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options