[Spacewalk-list] Deploy a root password change

Kobus Bensch kobus.bensch at trustpayglobal.com
Wed Aug 26 08:52:07 UTC 2015 

Hi

I wrote a script many years ago and still use it to this day.

Here is what I do.
1) I make a note of the current encrypted root password in the shadow file.
Just in case I need it.
2) I change the password for root on this server and make note of the new
encrypted password in the shadow file.
       THe reaon I do it this way is so I can make sure that the new
password works and that I have made not of the unecncrypted password and
stored it away.
3) This is where my script comes into effect.
TO use the new encrypted password, make sure any $ signs in the encrypted
version have been escaped. Then replace the encrypted password on line 14
between $1": and :"$3 with your new encrypted password.

I do a bit of displaying of files for verification. Plus it gets logged in
the Satellite logs.

Schedule this as a script on the relevant servers.

Here it is:


#!/bin/sh

# Written by Kobus Bensch
# kbensch [at] gmail [dot] com
# If you use it, let me know.
# If you make it better, let me know.
# This works for me, test it before you use it in production.
# Any questions, let me know.
# Version 0.5

SHADOW_FILE="/etc/shadow"
cp -v /etc/shadow /etc/shadow-$(date +%Y%m%d%H%M%S)
OLDPWD=`cat $SHADOW_FILE | grep root`
NEWPWD=`cat $SHADOW_FILE | grep root | awk -F":" '{print
$1":\$6\$SRXLyEWW\$OOtjSy3lShHGbjHDBnH.QYEm0t.GUaXW1VtoDzV.c8wpIVUBFEtH5YQBQD1FeqQNujyMLwd135kLs8p9O9Y4m1:"$3":"$4":"$5":"$6":"$7":"$8":"$9}'`

echo "Old ROOT PWD = $OLDPWD"
echo "New ROOT PWD = $NEWPWD"
echo "New Shadow"

sed -i "s_${OLDPWD}_${NEWPWD}_" $SHADOW_FILE

cat $SHADOW_FILE



Kobus Bensch

*Address:*
*Phone:*
*Email:*22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
0207 871 3890
kobus.bensch at trustpayglobal.com



On 26 August 2015 at 01:57, J Epperson <spacewalk at epperson.homelinux.net>
wrote:

> I've always done this with "usermod -p", using the crypted password
> string.  But that's probably not actually any more secure than echoing to
> "passwd --stdin".
>
>
>
>
> On 2015-08-25 16:50, Steve Meier wrote:
>
> Hello,
>
> using sed on your /etc/shadow is a very harsh way to do it. On Red Hat
> the passwd command supports the --stdin parameter which is much cleaner
>
> echo supersecret | passwd --stdin root
>
> Run this as a remote action and you are good.
>
> Alternatively, you can create a dummy RPM where this is a %post action
> and deploy this RPM. This should work as well and the version of that
> dummy RPM will actually give you a hint on which of your rotated
> passwords
> it is.
>
> Kind regards,
>    Steve
>
> Am 2015-08-25 22:24, schrieb Justin Edmands:
>
> You change the root pw on one machine, grab the /etc/shadow entry, and sed
> replace the root line in the shadow file into a remote command to whatever
> systems you need to change.
>
> On Aug 25, 2015, at 4:13 PM, Franky Van Liedekerke <liedekef at telenet.be>
> wrote: On Tue, 25 Aug 2015 19:45:06 +0000 "Armstrong, Kenneth Lawrence
> (SYSADMIN)" <klarmstrong2 at liberty.edu> wrote:
>
> Is there a way to deploy a root password change to a group of servers in
> Satellite 5.6? I imagine something like this might be possible in Satellite
> 6.x, but we don’t have that deployed yet.
>
> Since spacewalk only has the root-pwd there for kickstart I don't think
> that is possible. I don't know if this helps, but: loop through your
> servers, do sudo and: echo "root:newpass"|chpasswd I know, it is not the
> config-method you're looking for (puppet, ansible), but sometimes the
> simplest things are sufficient too ... Franky
> _______________________________________________ Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________ Spacewalk-list mailing
> list Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing listSpacewalk-list at redhat.comhttps://www.redhat.com/mailman/listinfo/spacewalk-list
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>

-- 


Trustpay Global Limited is an authorised Electronic Money Institution 
regulated by the Financial Conduct Authority registration number 900043. 
Company No 07427913 Registered in England and Wales with registered address 
130 Wood Street, London, EC2V 6DL, United Kingdom.

For further details please visit our website at www.trustpayglobal.com.

The information in this email and any attachments are confidential and 
remain the property of Trustpay Global Ltd unless agreed by contract. It is 
intended solely for the person to whom or the entity to which it is 
addressed. If you are not the intended recipient you may not use, disclose, 
copy, distribute, print or rely on the content of this email or its 
attachments. If this email has been received by you in error please advise 
the sender and delete the email from your system. Trustpay Global Ltd does 
not accept any liability for any personal view expressed in this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150826/188598c6/attachment.htm>

More information about the Spacewalk-list mailing list