Solved

need a secure script to change root password in linux.

Posted on 2013-05-14
9
581 Views
Last Modified: 2013-05-25
I am in a larger environment and it appears our management software will not change the root password for some unknown reason on about 100 systems.

The systems are mostly Redhat  however some are Aix or Solaris.

The problem is that a basic script using "standard io"  puts the password in the history file ( not good at all ).  We are in a strongly monitored system so cleaning up the history file may not work so well.  I need to find a way to change the root password without the password showing up in the history file

Cross platform is best however a Linux only solution would help a big bunch.

thx

timfox123
0
Comment
Question by:TIMFOX123
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 500 total points
Comment Utility
Put root password in a file.

vi passfile

#And put password in this file

chmod 400 passfile

pw=$(<passfile)

echo $pw | passwd --stdin

Open in new window

0
 
LVL 19

Expert Comment

by:jools
Comment Utility
what do you use to manage the environment?
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
Comment Utility
Using --stdin as farzanj suggested is one of the simpler options, though if you want to keep it out of the history file you obviously don't want to use echo to write the password file -- so use a basic text editor.

Assuming you're doing this from a central admin machine and you want the same password to be set on all machines, it may be faster to use a distributable shell script. Something like:

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

Open in new window

Clearing IFS and setting PATH are always good security practice, and "set +x" ensures the following commands will not display in the terminal when the script is run.

chmod it to 500 and distribute it to /root/ on the machines requiring an update, run it, delete it.

For older machines you could manually update the /etc/passwd file with a pre-hashed value to avoid ever transmitting it in plain text, but that's significantly more complicated on newer systems using /etc/shadow.

There's also the simple manual solution. If you just run "passwd" or "passwd root" it should prompt you for further input, which won't be logged to the history file.

All of the above methods (except for the manual /etc/passwd update) will log that a password change has occurred in syslog, but should keep the history file clean.
0
 

Author Comment

by:TIMFOX123
Comment Utility
I have tried this and I can not get it to work

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

  What would be better is if I could pass a $1 as the password because our tool will let me send arguments to a script.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 19

Expert Comment

by:jools
Comment Utility
What do you use to manage your environment?
0
 

Author Comment

by:TIMFOX123
Comment Utility
I can not really answer that.

Sorry
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
Comment Utility
Unfortunately, if you pass $1 you are right back to passing the password in plain text (and adding it to the history file if you are using an ssh console). Though you could write a script to write the script based on $1... something like
#!/bin/sh
password=${1}
echo "
#!/bin/sh
...begin output script here...
passwd ${password}
...end output script...
" >/path/to/output/file.sh

Open in new window


There's a nicer way to do that with "cat<<EOF" but I wanted to keep the example simple.

I have tried this and I can not get it to work

What specifically isn't working? Could you paste an error log?

Since you didn't list a specific platform I went with sh commands common to the Linux systems I use every day, but I'm happy to try and assist at a platform specific level if I can.
0
 
LVL 19

Expert Comment

by:jools
Comment Utility
shame, if you used something like opsware (HPSA) then you could setup a script with a custom attribute and then execute it on all the hosts, you could even do something generic for all the *nix platforms.

how many systems are we talking about?
Are they all networked?
Do they all have the same password set at the moment?
Can you connect via ssh?

you could probably still run something from a central location, if you dont have root ssh access it may be difficult but I'm guessing on your setup.

If all the servers had access to a central server they could possibly download a file (http/nfs??) with a password then use it's contents before deleting it. A sort of combination of all the above if you like.

Depends how secure you want to get?!
0
 

Author Comment

by:TIMFOX123
Comment Utility
passwd  << EOF
password1
password1
EOF
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now