Solved

need a secure script to change root password in linux.

Posted on 2013-05-14
9
593 Views
Last Modified: 2013-05-25
I am in a larger environment and it appears our management software will not change the root password for some unknown reason on about 100 systems.

The systems are mostly Redhat  however some are Aix or Solaris.

The problem is that a basic script using "standard io"  puts the password in the history file ( not good at all ).  We are in a strongly monitored system so cleaning up the history file may not work so well.  I need to find a way to change the root password without the password showing up in the history file

Cross platform is best however a Linux only solution would help a big bunch.

thx

timfox123
0
Comment
Question by:TIMFOX123
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 500 total points
ID: 39164452
Put root password in a file.

vi passfile

#And put password in this file

chmod 400 passfile

pw=$(<passfile)

echo $pw | passwd --stdin

Open in new window

0
 
LVL 19

Expert Comment

by:jools
ID: 39164570
what do you use to manage the environment?
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39164682
Using --stdin as farzanj suggested is one of the simpler options, though if you want to keep it out of the history file you obviously don't want to use echo to write the password file -- so use a basic text editor.

Assuming you're doing this from a central admin machine and you want the same password to be set on all machines, it may be faster to use a distributable shell script. Something like:

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

Open in new window

Clearing IFS and setting PATH are always good security practice, and "set +x" ensures the following commands will not display in the terminal when the script is run.

chmod it to 500 and distribute it to /root/ on the machines requiring an update, run it, delete it.

For older machines you could manually update the /etc/passwd file with a pre-hashed value to avoid ever transmitting it in plain text, but that's significantly more complicated on newer systems using /etc/shadow.

There's also the simple manual solution. If you just run "passwd" or "passwd root" it should prompt you for further input, which won't be logged to the history file.

All of the above methods (except for the manual /etc/passwd update) will log that a password change has occurred in syslog, but should keep the history file clean.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:TIMFOX123
ID: 39173290
I have tried this and I can not get it to work

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

  What would be better is if I could pass a $1 as the password because our tool will let me send arguments to a script.
0
 
LVL 19

Expert Comment

by:jools
ID: 39173348
What do you use to manage your environment?
0
 

Author Comment

by:TIMFOX123
ID: 39173411
I can not really answer that.

Sorry
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39173688
Unfortunately, if you pass $1 you are right back to passing the password in plain text (and adding it to the history file if you are using an ssh console). Though you could write a script to write the script based on $1... something like
#!/bin/sh
password=${1}
echo "
#!/bin/sh
...begin output script here...
passwd ${password}
...end output script...
" >/path/to/output/file.sh

Open in new window


There's a nicer way to do that with "cat<<EOF" but I wanted to keep the example simple.

I have tried this and I can not get it to work

What specifically isn't working? Could you paste an error log?

Since you didn't list a specific platform I went with sh commands common to the Linux systems I use every day, but I'm happy to try and assist at a platform specific level if I can.
0
 
LVL 19

Expert Comment

by:jools
ID: 39174579
shame, if you used something like opsware (HPSA) then you could setup a script with a custom attribute and then execute it on all the hosts, you could even do something generic for all the *nix platforms.

how many systems are we talking about?
Are they all networked?
Do they all have the same password set at the moment?
Can you connect via ssh?

you could probably still run something from a central location, if you dont have root ssh access it may be difficult but I'm guessing on your setup.

If all the servers had access to a central server they could possibly download a file (http/nfs??) with a password then use it's contents before deleting it. A sort of combination of all the above if you like.

Depends how secure you want to get?!
0
 

Author Comment

by:TIMFOX123
ID: 39197167
passwd  << EOF
password1
password1
EOF
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question