?
Solved

need a secure script to change root password in linux.

Posted on 2013-05-14
9
Medium Priority
?
626 Views
Last Modified: 2013-05-25
I am in a larger environment and it appears our management software will not change the root password for some unknown reason on about 100 systems.

The systems are mostly Redhat  however some are Aix or Solaris.

The problem is that a basic script using "standard io"  puts the password in the history file ( not good at all ).  We are in a strongly monitored system so cleaning up the history file may not work so well.  I need to find a way to change the root password without the password showing up in the history file

Cross platform is best however a Linux only solution would help a big bunch.

thx

timfox123
0
Comment
Question by:TIMFOX123
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 2000 total points
ID: 39164452
Put root password in a file.

vi passfile

#And put password in this file

chmod 400 passfile

pw=$(<passfile)

echo $pw | passwd --stdin

Open in new window

0
 
LVL 19

Expert Comment

by:jools
ID: 39164570
what do you use to manage the environment?
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39164682
Using --stdin as farzanj suggested is one of the simpler options, though if you want to keep it out of the history file you obviously don't want to use echo to write the password file -- so use a basic text editor.

Assuming you're doing this from a central admin machine and you want the same password to be set on all machines, it may be faster to use a distributable shell script. Something like:

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

Open in new window

Clearing IFS and setting PATH are always good security practice, and "set +x" ensures the following commands will not display in the terminal when the script is run.

chmod it to 500 and distribute it to /root/ on the machines requiring an update, run it, delete it.

For older machines you could manually update the /etc/passwd file with a pre-hashed value to avoid ever transmitting it in plain text, but that's significantly more complicated on newer systems using /etc/shadow.

There's also the simple manual solution. If you just run "passwd" or "passwd root" it should prompt you for further input, which won't be logged to the history file.

All of the above methods (except for the manual /etc/passwd update) will log that a password change has occurred in syslog, but should keep the history file clean.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:TIMFOX123
ID: 39173290
I have tried this and I can not get it to work

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

  What would be better is if I could pass a $1 as the password because our tool will let me send arguments to a script.
0
 
LVL 19

Expert Comment

by:jools
ID: 39173348
What do you use to manage your environment?
0
 

Author Comment

by:TIMFOX123
ID: 39173411
I can not really answer that.

Sorry
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39173688
Unfortunately, if you pass $1 you are right back to passing the password in plain text (and adding it to the history file if you are using an ssh console). Though you could write a script to write the script based on $1... something like
#!/bin/sh
password=${1}
echo "
#!/bin/sh
...begin output script here...
passwd ${password}
...end output script...
" >/path/to/output/file.sh

Open in new window


There's a nicer way to do that with "cat<<EOF" but I wanted to keep the example simple.

I have tried this and I can not get it to work

What specifically isn't working? Could you paste an error log?

Since you didn't list a specific platform I went with sh commands common to the Linux systems I use every day, but I'm happy to try and assist at a platform specific level if I can.
0
 
LVL 19

Expert Comment

by:jools
ID: 39174579
shame, if you used something like opsware (HPSA) then you could setup a script with a custom attribute and then execute it on all the hosts, you could even do something generic for all the *nix platforms.

how many systems are we talking about?
Are they all networked?
Do they all have the same password set at the moment?
Can you connect via ssh?

you could probably still run something from a central location, if you dont have root ssh access it may be difficult but I'm guessing on your setup.

If all the servers had access to a central server they could possibly download a file (http/nfs??) with a password then use it's contents before deleting it. A sort of combination of all the above if you like.

Depends how secure you want to get?!
0
 

Author Comment

by:TIMFOX123
ID: 39197167
passwd  << EOF
password1
password1
EOF
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month15 days, 18 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question