need a secure script to change root password in linux.

I am in a larger environment and it appears our management software will not change the root password for some unknown reason on about 100 systems.

The systems are mostly Redhat  however some are Aix or Solaris.

The problem is that a basic script using "standard io"  puts the password in the history file ( not good at all ).  We are in a strongly monitored system so cleaning up the history file may not work so well.  I need to find a way to change the root password without the password showing up in the history file

Cross platform is best however a Linux only solution would help a big bunch.

thx

timfox123
TIMFOX123Asked:
Who is Participating?
 
farzanjConnect With a Mentor Commented:
Put root password in a file.

vi passfile

#And put password in this file

chmod 400 passfile

pw=$(<passfile)

echo $pw | passwd --stdin

Open in new window

0
 
joolsCommented:
what do you use to manage the environment?
0
 
GhostInTheMacheenCommented:
Using --stdin as farzanj suggested is one of the simpler options, though if you want to keep it out of the history file you obviously don't want to use echo to write the password file -- so use a basic text editor.

Assuming you're doing this from a central admin machine and you want the same password to be set on all machines, it may be faster to use a distributable shell script. Something like:

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

Open in new window

Clearing IFS and setting PATH are always good security practice, and "set +x" ensures the following commands will not display in the terminal when the script is run.

chmod it to 500 and distribute it to /root/ on the machines requiring an update, run it, delete it.

For older machines you could manually update the /etc/passwd file with a pre-hashed value to avoid ever transmitting it in plain text, but that's significantly more complicated on newer systems using /etc/shadow.

There's also the simple manual solution. If you just run "passwd" or "passwd root" it should prompt you for further input, which won't be logged to the history file.

All of the above methods (except for the manual /etc/passwd update) will log that a password change has occurred in syslog, but should keep the history file clean.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
TIMFOX123Author Commented:
I have tried this and I can not get it to work

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

  What would be better is if I could pass a $1 as the password because our tool will let me send arguments to a script.
0
 
joolsCommented:
What do you use to manage your environment?
0
 
TIMFOX123Author Commented:
I can not really answer that.

Sorry
0
 
GhostInTheMacheenCommented:
Unfortunately, if you pass $1 you are right back to passing the password in plain text (and adding it to the history file if you are using an ssh console). Though you could write a script to write the script based on $1... something like
#!/bin/sh
password=${1}
echo "
#!/bin/sh
...begin output script here...
passwd ${password}
...end output script...
" >/path/to/output/file.sh

Open in new window


There's a nicer way to do that with "cat<<EOF" but I wanted to keep the example simple.

I have tried this and I can not get it to work

What specifically isn't working? Could you paste an error log?

Since you didn't list a specific platform I went with sh commands common to the Linux systems I use every day, but I'm happy to try and assist at a platform specific level if I can.
0
 
joolsCommented:
shame, if you used something like opsware (HPSA) then you could setup a script with a custom attribute and then execute it on all the hosts, you could even do something generic for all the *nix platforms.

how many systems are we talking about?
Are they all networked?
Do they all have the same password set at the moment?
Can you connect via ssh?

you could probably still run something from a central location, if you dont have root ssh access it may be difficult but I'm guessing on your setup.

If all the servers had access to a central server they could possibly download a file (http/nfs??) with a password then use it's contents before deleting it. A sort of combination of all the above if you like.

Depends how secure you want to get?!
0
 
TIMFOX123Author Commented:
passwd  << EOF
password1
password1
EOF
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.