[Spacewalk-list] change root password for all machines in a group
Ian Forde
ianforde at gmail.com
Thu Feb 4 03:52:07 UTC 2010
On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote:
> Shouldn't this be
>
> echo 'new_password' | passwd --stdin root
>
> You could do this simply with a remote command via the SSM. Just
> remember that this will be in the spacewalk events for those servers
> so if you have people with access to spacewalk that shouldn't know the
> password, they'll be able to find it out.
Actually, for a decent safe option, you can try this as a procedure:
1. Push a new file called /tmp/.newrootpasswd and set it to be root:root
and perms 0400. This file will contain the plaintext of the new
password.
2. Use a remote command (since you can make it a script) as such:
#!/bin/bash
cat /tmp/.newrootpasswd | passwd --stdin
rm -f /tmp/.newrootpasswd
Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet
(item #3 in Brainbox), so you can't do it all in one step. Another way,
however, would be to do it all in a script that retrieved the textfile
and ran 'passwd --stdin'. The idea is to keep the password off of the
command line.
Of course, if the passwd command accepted encrypted passwords when used
with stdin, we wouldn't have this issue. Sort of... (I don't even like
putting encrypted strings out there.)
>From a security perspective, I think it's about finding a safe way to
get the password string to the client box, avoiding displaying it on the
clients' command line and risking exposure on the filesystem.
-I
More information about the Spacewalk-list
mailing list