Greetings community, it was so good seeing you last week. We've discussed during the sessions, and after about the strict DISA STIG password complexity, and password rotation, there is a forum on the public VBR when using hundreds of appliances. Since then I couldn’t sleep properly as I imaged myself changing dozens of appliances with the 2 default accounts. So I’ve built an script of course.
TLDR
-
Automate rotation of local OS accounts on VSA, Hardened Repos, and VIA nodes through Host Management API only.
-
Handles OTP, does self change for veeamadmin, proper self flow for Security Officer, writes CSV for your vault.
GitHub
-
Code on GitHub: https://github.com/jorgedlcruz/veeam-appliance-password-rotate
Important
-
NOT OFFICIALLY SUPPORTED. Use at your own risk. Protect your env files. Move CSV to your password manager then delete local copy. Test in a lab first.
What you get
-
API only. No SSH into nodes.
-
OTP prompt or TOTP secret.
-
Self rotation for veeamadmin (uid 2000) using /v2/users/self/passwd with current password.
-
Security Officer self flow using /v2/users/self/passwd with currentPassword and OTP.
-
Password policy check and strong generator.
-
Optional description timestamp on standard users.
-
CSV output: user_id,new_password,timestamp with secure umask.
Requirements
-
VSA or VIA nodes reachable on Host Management API.
-
Linux runner with bash, curl, jq, oathtool, awk, sed, coreutils, Python 3.
-
On Rocky: sudo dnf install -y jq oathtool
Quick install
-
Folder and script
mkdir -p ~/vbr-rotate && cd ~/vbr-rotate
# Save as veeam-appliance-rotate-passwords.sh
chmod +x veeam-appliance-rotate-passwords.sh
-
.env file
cat > .env <<'EOF'
BASE="https://YOURVSAIP:10443"
ADMIN_USER="veeamadmin"
ADMIN_PASS="" # optional, leave empty to be prompted
VERIFY_TLS="false"
OTP_MODE="prompt" # prompt or totp
TOTP_SECRET="" # only if OTP_MODE=totp
SO_OTP_MODE="totp" # optional
TOTP_SO_SECRET="" # if SO_OTP_MODE=totp
CURRENT_SO_PASS="" # if rotating SO
USER_IDS="2003 2004 2000" # include 2000 to rotate veeamadmin
#MIN_LEN="20"
#MAX_SAME_CLASS_RUN="3"
#SPECIAL_SET="!@#\$%^*_+=-?"
#OUT_FILE="rotated_passwords_$(date +%Y%m%d_%H%M%S).csv"
EOF
chmod 600 .env
Run
set -a; . ./.env; set +a
./veeam-appliance-rotate-passwords.shExamples
Interactive veeamadmin plus two users
export BASE="https://vbr-appliance:10443"
export ADMIN_USER="veeamadmin"
export OTP_MODE="prompt"
export USER_IDS="2000 2003 2004"
./veeam-appliance-rotate-passwords.shNon interactive with TOTP
export BASE="https://vbr-appliance:10443"
export ADMIN_USER="veeamadmin"
export ADMIN_PASS="********"
export OTP_MODE="totp"
export TOTP_SECRET="BASE32SECRET"
export USER_IDS="2003 2004"
./veeam-appliance-rotate-passwords.shRotate Security Officer
export BASE="https://vbr-appliance:10443"
export ADMIN_USER="veeamadmin"
export ADMIN_PASS="********"
export SO_OTP_MODE="totp"
export TOTP_SO_SECRET="SO_BASE32"
export CURRENT_SO_PASS="********"
export USER_IDS="2002"
./veeam-appliance-rotate-passwords.shExpected output snippet
[INFO] Login step 1
[INFO] Login step 2 with OTP
[OK] Login success with OTP
[INFO] Rotating: 2003 2004 2000
[OK] uid=2003 password rotated
[OK] uid=2003 description updated
[OK] uid=2004 password rotated
[OK] uid=2004 description updated
[OK] uid=2002 SO password rotated
[OK] uid=2000 veeamadmin password rotated
[DONE] Saved rotated_passwords_YYYYMMDD_HHMMSS.csvTroubleshooting
-
http=401 or 428 during PUT: server wants a fresh OTP. Script retries once. Check time sync and codes.
-
Could not create SO session: validate CURRENT_SO_PASS and TOTP_SO_SECRET or use SO_OTP_MODE=prompt.
-
CSV empty: verify USER_IDS, auth success, and API reachability.
-
Missing tools: install jq and oathtool.
Closing
Real pain, real fix. If this helps, star the repo send some github pr, leave some comments, etc. I hope I can add the export to some password managers next.
Would you use it?
