HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Managing RootPasswords
Operating System - HP-UX
1828216
Members
2491
Online
109975
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2004 06:13 AM
07-28-2004 06:13 AM
Managing RootPasswords
Hello ,
What are the options/tools available for managing root password changes on multiple servers (around 200+ servers , a mix of trusted HPservers and Sunservers) on a regular basis(thrice a year)? The password should be preferably randomly generated by the tool/script and not be the same for all the servers.
Doing the change manually by logging on to each server is ruled out. Inefficient and tedious.
Writing a script using remote services (remsh,rexec..) is not an option, since opening up access through .rhosts on all the servers is not allowed.
What are the other options? How is this managed in large sites?
regards
-RB
What are the options/tools available for managing root password changes on multiple servers (around 200+ servers , a mix of trusted HPservers and Sunservers) on a regular basis(thrice a year)? The password should be preferably randomly generated by the tool/script and not be the same for all the servers.
Doing the change manually by logging on to each server is ruled out. Inefficient and tedious.
Writing a script using remote services (remsh,rexec..) is not an option, since opening up access through .rhosts on all the servers is not allowed.
What are the other options? How is this managed in large sites?
regards
-RB
Take it easy.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2004 06:30 AM
07-28-2004 06:30 AM
Re: Managing RootPasswords
With restrictions you have,
NIS is the way to go. Trusted systems and NIS is not compatible, so you will have to go with NIS+.
Also with ldap.
Not worked on things like this, but these are the options I seem to fit your requirement.
Anil
NIS is the way to go. Trusted systems and NIS is not compatible, so you will have to go with NIS+.
Also with ldap.
Not worked on things like this, but these are the options I seem to fit your requirement.
Anil
There is no substitute to HARDWORK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2004 07:06 AM
07-28-2004 07:06 AM
Re: Managing RootPasswords
Or install a third party security tool like UnixControl:
http://www.tfstech.com/index.htm
Rgds...Geoff
http://www.tfstech.com/index.htm
Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2004 07:07 AM
07-28-2004 07:07 AM
Re: Managing RootPasswords
NIS+, NIS, or LDAP should not be used for the root password because you specifically need a means of logging in as root when those services are not available. In fact, you are instructed to always use local authenication for root. You also do not want multiple users with UID 0 as a possible workaround. If this were me, I would much prefer a single strong password for all the servers rather than different passwords -- unless the boxes are administered by different people. Multiple passwords instantly require a list and that is an instant security hole. NIS+ or LDAP is fine for all the regular users and would certainly be my method for 200+ boxes.
There are a number of methods for batch updating root passwords. Probably the most straightforward would be to leverage expect supplied with a list of servers.
There are a number of methods for batch updating root passwords. Probably the most straightforward would be to leverage expect supplied with a list of servers.
If it ain't broke, I can fix that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2004 10:05 AM
07-29-2004 10:05 AM
Re: Managing RootPasswords
Thanks for the responses so far. Can the other experts around throw in their suggestions and the way they are doing this in a large site?
NIS+ is a no-no, for the reasons already mentioned.
The criteria is, it should run from a single server and not use remote services. No NIS/NIS+/LDAP either, for reasons already mentioned in the responses.
Clay, Can you please elaborate on the batch methods you mentioned. Also, an randomly generated password is preferred , rather than manual creativeones.
thanks
NIS+ is a no-no, for the reasons already mentioned.
The criteria is, it should run from a single server and not use remote services. No NIS/NIS+/LDAP either, for reasons already mentioned in the responses.
Clay, Can you please elaborate on the batch methods you mentioned. Also, an randomly generated password is preferred , rather than manual creativeones.
thanks
Take it easy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2004 11:00 AM
07-29-2004 11:00 AM
Re: Managing RootPasswords
RB,
Any large site who are concerned about security will not go for NIS :-). and NIS+ is too cumbersome to maintain even on smaller sites.
Really visionary shops, spend $$$ and get a centralized user management softwares like KEON BOKS from RSA. BOKS is a wonderful security software with all kind of auditing and customization possible.It also does some encryption. So you dont have to worry about sniffers.
Some sites use remote services to distribute the account information and some use LDAP.
I am sure there are sites that use ADS or NTLM authentication for the unix users. This case the unix users dont have to remember two seperate passwords. they can use the same password as they do for logging in to the corporate domain network.
Given all these restrictions, how about if I suggest you a not-so-elegant way of doing this ? :-)
1) TO generate the password random ,you can use /usr/lbin/modprpw with -x option
/usr/lbin/modprpw -x username
2) modprpw expires the user account so, he/she will have to change the password upon next successful login. you can avoid this by using -v option of modprpw
/usr/lbin/modprpw -v username
3) Create a script that prepares the list of files that are updated in the /tcb directory and also the information from /etc/passwd and /etc/group
The script should ftp these files to all the other system. automate the FTP transfer by manually coding the password in the script or using .netrc.
4) In the clients create a script that runs of the cron and process the files that are FTPed from the server.
I know this is not going to look elegant and is not easy to implement as it sounds.
But this is all I could come up with :-)
-- Sundar.
Any large site who are concerned about security will not go for NIS :-). and NIS+ is too cumbersome to maintain even on smaller sites.
Really visionary shops, spend $$$ and get a centralized user management softwares like KEON BOKS from RSA. BOKS is a wonderful security software with all kind of auditing and customization possible.It also does some encryption. So you dont have to worry about sniffers.
Some sites use remote services to distribute the account information and some use LDAP.
I am sure there are sites that use ADS or NTLM authentication for the unix users. This case the unix users dont have to remember two seperate passwords. they can use the same password as they do for logging in to the corporate domain network.
Given all these restrictions, how about if I suggest you a not-so-elegant way of doing this ? :-)
1) TO generate the password random ,you can use /usr/lbin/modprpw with -x option
/usr/lbin/modprpw -x username
2) modprpw expires the user account so, he/she will have to change the password upon next successful login. you can avoid this by using -v option of modprpw
/usr/lbin/modprpw -v username
3) Create a script that prepares the list of files that are updated in the /tcb directory and also the information from /etc/passwd and /etc/group
The script should ftp these files to all the other system. automate the FTP transfer by manually coding the password in the script or using .netrc.
4) In the clients create a script that runs of the cron and process the files that are FTPed from the server.
I know this is not going to look elegant and is not easy to implement as it sounds.
But this is all I could come up with :-)
-- Sundar.
Learn What to do ,How to do and more importantly When to do ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2004 02:45 PM
07-29-2004 02:45 PM
Re: Managing RootPasswords
RB,
The attached C program may help you to generate random strong passwords and their encrypted strings.
# encrypt
OKFBrfm:WkBJX5PPU8LzY
The output can be divided into two portions with the delimiter ":", the first portion is the random generated password, and the second part is the encrypted string of the password, you can simply replace the second portion with the password of a particular user in the /etc/passwd (or /etc/shadow for Solaris users), the password is changed silently.
In case you got a "/" in the encryted value, please discard it, as I found that it will cause problem:
# encrypt
m6kw6NR:lGG/UBe.vDACQ <- DISCARD!!!
If you want it to encrypt a password you specify, say "1234567" you can:
# encrypt
1234567:webdcfoCllqDQ
If you have tried that out in small scale and have confidence with it, you can write your own .script to change the password regularly
The attached C program may help you to generate random strong passwords and their encrypted strings.
# encrypt
OKFBrfm:WkBJX5PPU8LzY
The output can be divided into two portions with the delimiter ":", the first portion is the random generated password, and the second part is the encrypted string of the password, you can simply replace the second portion with the password of a particular user in the /etc/passwd (or /etc/shadow for Solaris users), the password is changed silently.
In case you got a "/" in the encryted value, please discard it, as I found that it will cause problem:
# encrypt
m6kw6NR:lGG/UBe.vDACQ <- DISCARD!!!
If you want it to encrypt a password you specify, say "1234567" you can:
# encrypt
1234567:webdcfoCllqDQ
If you have tried that out in small scale and have confidence with it, you can write your own .script to change the password regularly
Always take care of your dearest before it is too late
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP