I have systems that are secured with PAM authentication / SSH. When attempting to execute “passwd” commands remotely with SSH, the system does not allow this.
These systems are setup with Public Key Authentication, and NOPASSWD option in /etc/sudoers.

Script 1 – This script runs from a management server. It copies “local” script out to the servers, then executes the script with ssh / sudo, then deletes the script when complete.

#!/bin/bash HOSTREAD=$(cat /opt/scripts/hosts.txt)
for server in $HOSTREAD; do
    scp /opt/scripts/local-change-passwords.sh $USR@$server:~     ssh $USR@$server 'sudo sh local-change-passwords.sh'     ssh $USR@$server 'rm local-change-passwords.sh' done

Script 2 – This is the local script that is copied out to each server, executed, then removed after the users passwords are changed.

#!/bin/bash USR="forgotten"
echo -e 'yourspecialpassword'"\n"'yourspecialpassword' | passwd $USR