HPE Community
Operating System - HP-UX
1752766 Members
5038 Online
108789 Solutions
New Discussion юеВ

Re: New password push script

 
B Wade Moll
Frequent Advisor

тАО02-17-2010 07:09 AM

тАО02-17-2010 07:09 AM

New password push script

Greetings...

I have a monthly task to update root passwords on 49 servers. Direct root access is restricted by direct ssh login, however the root account can be accessed by su - root.

Is there a push script I can run from an admin lpart to login to the servers and update the root pw, without having to manually log into each one and update it manually?

Thank you :)
0 Kudos
Reply
5 REPLIES 5
Dennis Handly
Acclaimed Contributor

тАО02-17-2010 07:20 AM

тАО02-17-2010 07:20 AM

Re: New password push script

What type of passwords do you have?
It isn't NIS. But do you have trusted, shadow passwords or the default?

If the latter, you could just edit /etc/passwd, possibly with vipw(1m).
0 Kudos
Reply
B Wade Moll
Frequent Advisor

тАО02-17-2010 07:22 AM

тАО02-17-2010 07:22 AM

Re: New password push script

we haven't altered the settings on the servers so I suspcet they are standard.

Thank you :)
0 Kudos
Reply
Olivier Masse
Honored Contributor

тАО02-17-2010 09:21 AM

тАО02-17-2010 09:21 AM

Re: New password push script

Personally I would use expect to automate the process of logging on, providing your password, doing a "su -" and entering a new proot password. Be prepared to do some TCL coding, and unless you're using one-time-passwords to log on your servers, it will pay itself off quickly. I do this fairly often to distribute commands on my servers.

http://hpux.connect.org.uk/hppd/hpux/Tcl/expect-5.43/

What I like with expect is that implementing scripts with it is not "illegal" technically as far a a security auditor is concerned... you're not going through a backdoor, you're only simulating someone who types really, really quickly. :)

Other alternatives involve using DSAU (distributed system administration utilities) or the command fan-out feature of Systems Insight Manager. I never tried them and I don't know how much extensible they are to let you elevate your privileges once you're logged in.

Good luck
0 Kudos
Reply
mvpel
Trusted Contributor

тАО02-18-2010 06:41 AM

тАО02-18-2010 06:41 AM

Re: New password push script

Check out the PermitRootLogin option of "forced-commands-only" in the sshd_config man page.

This will prevent remote ssh root connections except when:

1. You authenticate with a public key.
2. The authorized key permits only a specific command.

See the sshd man page for an example of an entry in authorized_keys:

command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi

The "from=" directive in root's authorized_keys would also allow you to restrict root login to originate only from a specific hostname or IP address.

All you'd need to do is define the "password-change" key-pair, update the sshd_config and restart sshd on the 49 machines, and update the ~root/.ssh/authorized_keys file with the public key and the command to be run.

If you don't set a password on the private key and just rely on 400 permissions to protect it, the ssh command would run without prompting you for the root password each time. Or, if you do set a password on the private key, you'd want to set up ssh-agent and add the private key before starting the 49 ssh runs.

You'd need to cook up a way to deliver the new password or crypt string to the remote systems. Perhaps access an NFS-mounted file containing the hash string which the command= script would paste into the passwd? Or set "passwd root" as the command in each host's authorized_keys, and just center-click paste the new password into the prompts 98 times - still much quicker than a 100% manual update.
0 Kudos
Reply
Sp4admin
Trusted Contributor

тАО02-18-2010 02:56 PM

тАО02-18-2010 02:56 PM

Re: New password push script

We have a script that can push you CAC enable Credentials or your ssh_keys. but I guess I'm old school when it comes to the root password. I preferred to change it manually. If you jack it up then you're talking about reboot to signal user to fix it.

sp,

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.