HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

New password push script

 
B Wade Moll
Frequent Advisor

New password push script

Greetings...

I have a monthly task to update root passwords on 49 servers. Direct root access is restricted by direct ssh login, however the root account can be accessed by su - root.

Is there a push script I can run from an admin lpart to login to the servers and update the root pw, without having to manually log into each one and update it manually?

Thank you :)
5 REPLIES

Re: New password push script

What type of passwords do you have?
It isn't NIS. But do you have trusted, shadow passwords or the default?

If the latter, you could just edit /etc/passwd, possibly with vipw(1m).
B Wade Moll
Frequent Advisor

Re: New password push script

we haven't altered the settings on the servers so I suspcet they are standard.

Thank you :)
Olivier Masse
Honored Contributor

Re: New password push script

Personally I would use expect to automate the process of logging on, providing your password, doing a "su -" and entering a new proot password. Be prepared to do some TCL coding, and unless you're using one-time-passwords to log on your servers, it will pay itself off quickly. I do this fairly often to distribute commands on my servers.

http://hpux.connect.org.uk/hppd/hpux/Tcl/expect-5.43/

What I like with expect is that implementing scripts with it is not "illegal" technically as far a a security auditor is concerned... you're not going through a backdoor, you're only simulating someone who types really, really quickly. :)

Other alternatives involve using DSAU (distributed system administration utilities) or the command fan-out feature of Systems Insight Manager. I never tried them and I don't know how much extensible they are to let you elevate your privileges once you're logged in.

Good luck
mvpel
Trusted Contributor

Re: New password push script

Check out the PermitRootLogin option of "forced-commands-only" in the sshd_config man page.

This will prevent remote ssh root connections except when:

1. You authenticate with a public key.
2. The authorized key permits only a specific command.

See the sshd man page for an example of an entry in authorized_keys:

command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi

The "from=" directive in root's authorized_keys would also allow you to restrict root login to originate only from a specific hostname or IP address.

All you'd need to do is define the "password-change" key-pair, update the sshd_config and restart sshd on the 49 machines, and update the ~root/.ssh/authorized_keys file with the public key and the command to be run.

If you don't set a password on the private key and just rely on 400 permissions to protect it, the ssh command would run without prompting you for the root password each time. Or, if you do set a password on the private key, you'd want to set up ssh-agent and add the private key before starting the 49 ssh runs.

You'd need to cook up a way to deliver the new password or crypt string to the remote systems. Perhaps access an NFS-mounted file containing the hash string which the command= script would paste into the passwd? Or set "passwd root" as the command in each host's authorized_keys, and just center-click paste the new password into the prompts 98 times - still much quicker than a 100% manual update.
Sp4admin
Trusted Contributor

Re: New password push script

We have a script that can push you CAC enable Credentials or your ssh_keys. but I guess I'm old school when it comes to the root password. I preferred to change it manually. If you jack it up then you're talking about reboot to signal user to fix it.

sp,