[Spacewalk-list] Deploy a root password change

Wed Aug 26 11:56:59 UTC 2015

Thanks everyone for your suggestions!  We’ll test these out to see what works best for us.

Kenny Armstrong
System Administrator
IS Operations

From: <spacewalk-list-bounces at redhat.com<mailto:spacewalk-list-bounces at redhat.com>> on behalf of Kobus Bensch
Reply-To: "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>"
Date: Wednesday, August 26, 2015 at 4:52 AM
To: "spacewalk-list at redhat.com<mailto:spacewalk-list at redhat.com>"
Subject: Re: [Spacewalk-list] Deploy a root password change

Hi

I wrote a script many years ago and still use it to this day.

Here is what I do.
1) I make a note of the current encrypted root password in the shadow file. Just in case I need it.
2) I change the password for root on this server and make note of the new encrypted password in the shadow file.
       THe reaon I do it this way is so I can make sure that the new password works and that I have made not of the unecncrypted password and stored it away.
3) This is where my script comes into effect.
TO use the new encrypted password, make sure any $ signs in the encrypted version have been escaped. Then replace the encrypted password on line 14 between $1": and :"$3 with your new encrypted password.

I do a bit of displaying of files for verification. Plus it gets logged in the Satellite logs.

Schedule this as a script on the relevant servers.

Here it is:

#!/bin/sh

# Written by Kobus Bensch
# kbensch [at] gmail [dot] com
# If you use it, let me know.
# If you make it better, let me know.
# This works for me, test it before you use it in production.
# Any questions, let me know.
# Version 0.5

SHADOW_FILE="/etc/shadow"
cp -v /etc/shadow /etc/shadow-$(date +%Y%m%d%H%M%S)
OLDPWD=`cat $SHADOW_FILE | grep root`
NEWPWD=`cat $SHADOW_FILE | grep root | awk -F":" '{print $1":\$6\$SRXLyEWW\$OOtjSy3lShHGbjHDBnH.QYEm0t.GUaXW1VtoDzV.c8wpIVUBFEtH5YQBQD1FeqQNujyMLwd135kLs8p9O9Y4m1:"$3":"$4":"$5":"$6":"$7":"$8":"$9}'`

echo "Old ROOT PWD = $OLDPWD"
echo "New ROOT PWD = $NEWPWD"
echo "New Shadow"

sed -i "s_${OLDPWD}_${NEWPWD}_" $SHADOW_FILE

cat $SHADOW_FILE

Kobus Bensch

Address:
Phone:
Email:  22 & 24 | Frederick Sanger Road | Guildford | Surrey | GU2 7YD
0207 871 3890
kobus.bensch at trustpayglobal.com<mailto:kobus.bensch at trustpayglobal.com>

[https://s3-eu-west-1.amazonaws.com/tpgemailsig/TrustPayGlobal-email+footer.png]

On 26 August 2015 at 01:57, J Epperson <spacewalk at epperson.homelinux.net<mailto:spacewalk at epperson.homelinux.net>> wrote:

I've always done this with "usermod -p", using the crypted password string.  But that's probably not actually any more secure than echoing to "passwd --stdin".

On 2015-08-25 16:50, Steve Meier wrote:

Hello,

using sed on your /etc/shadow is a very harsh way to do it. On Red Hat
the passwd command supports the --stdin parameter which is much cleaner

echo supersecret | passwd --stdin root

Run this as a remote action and you are good.

Alternatively, you can create a dummy RPM where this is a %post action
and deploy this RPM. This should work as well and the version of that
dummy RPM will actually give you a hint on which of your rotated
passwords
it is.

Kind regards,
   Steve

Am 2015-08-25 22:24, schrieb Justin Edmands:

You change the root pw on one machine, grab the /etc/shadow entry, and sed replace the root line in the shadow file into a remote command to whatever systems you need to change.
On Aug 25, 2015, at 4:13 PM, Franky Van Liedekerke <liedekef at telenet.be<mailto:liedekef at telenet.be>> wrote: On Tue, 25 Aug 2015 19:45:06 +0000 "Armstrong, Kenneth Lawrence (SYSADMIN)" <klarmstrong2 at liberty.edu<mailto:klarmstrong2 at liberty.edu>> wrote:
Is there a way to deploy a root password change to a group of servers in Satellite 5.6? I imagine something like this might be possible in Satellite 6.x, but we don’t have that deployed yet.
Since spacewalk only has the root-pwd there for kickstart I don't think that is possible. I don't know if this helps, but: loop through your servers, do sudo and: echo "root:newpass"|chpasswd I know, it is not the config-method you're looking for (puppet, ansible), but sometimes the simplest things are sufficient too ... Franky _______________________________________________ Spacewalk-list mailing list Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com> https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________ Spacewalk-list mailing list Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com> https://www.redhat.com/mailman/listinfo/spacewalk-list

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>https://www.redhat.com/mailman/listinfo/spacewalk-list

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list

Trustpay Global Limited is an authorised Electronic Money Institution regulated by the Financial Conduct Authority registration number 900043. Company No 07427913 Registered in England and Wales with registered address 130 Wood Street, London, EC2V 6DL, United Kingdom.

For further details please visit our website at www.trustpayglobal.com<http://www.trustpayglobal.com>.

The information in this email and any attachments are confidential and remain the property of Trustpay Global Ltd unless agreed by contract. It is intended solely for the person to whom or the entity to which it is addressed. If you are not the intended recipient you may not use, disclose, copy, distribute, print or rely on the content of this email or its attachments. If this email has been received by you in error please advise the sender and delete the email from your system. Trustpay Global Ltd does not accept any liability for any personal view expressed in this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150826/f9b265df/attachment.htm>