- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: New password push script
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2010 07:09 AM
тАО02-17-2010 07:09 AM
New password push script
I have a monthly task to update root passwords on 49 servers. Direct root access is restricted by direct ssh login, however the root account can be accessed by su - root.
Is there a push script I can run from an admin lpart to login to the servers and update the root pw, without having to manually log into each one and update it manually?
Thank you :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2010 07:20 AM
тАО02-17-2010 07:20 AM
Re: New password push script
It isn't NIS. But do you have trusted, shadow passwords or the default?
If the latter, you could just edit /etc/passwd, possibly with vipw(1m).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2010 07:22 AM
тАО02-17-2010 07:22 AM
Re: New password push script
Thank you :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2010 09:21 AM
тАО02-17-2010 09:21 AM
Re: New password push script
http://hpux.connect.org.uk/hppd/hpux/Tcl/expect-5.43/
What I like with expect is that implementing scripts with it is not "illegal" technically as far a a security auditor is concerned... you're not going through a backdoor, you're only simulating someone who types really, really quickly. :)
Other alternatives involve using DSAU (distributed system administration utilities) or the command fan-out feature of Systems Insight Manager. I never tried them and I don't know how much extensible they are to let you elevate your privileges once you're logged in.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2010 06:41 AM
тАО02-18-2010 06:41 AM
Re: New password push script
This will prevent remote ssh root connections except when:
1. You authenticate with a public key.
2. The authorized key permits only a specific command.
See the sshd man page for an example of an entry in authorized_keys:
command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi
The "from=" directive in root's authorized_keys would also allow you to restrict root login to originate only from a specific hostname or IP address.
All you'd need to do is define the "password-change" key-pair, update the sshd_config and restart sshd on the 49 machines, and update the ~root/.ssh/authorized_keys file with the public key and the command to be run.
If you don't set a password on the private key and just rely on 400 permissions to protect it, the ssh command would run without prompting you for the root password each time. Or, if you do set a password on the private key, you'd want to set up ssh-agent and add the private key before starting the 49 ssh runs.
You'd need to cook up a way to deliver the new password or crypt string to the remote systems. Perhaps access an NFS-mounted file containing the hash string which the command= script would paste into the passwd? Or set "passwd root" as the command in each host's authorized_keys, and just center-click paste the new password into the prompts 98 times - still much quicker than a 100% manual update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2010 02:56 PM
тАО02-18-2010 02:56 PM
Re: New password push script
sp,