Solved

need a secure script to change root password in linux.

Posted on 2013-05-14
9
590 Views
Last Modified: 2013-05-25
I am in a larger environment and it appears our management software will not change the root password for some unknown reason on about 100 systems.

The systems are mostly Redhat  however some are Aix or Solaris.

The problem is that a basic script using "standard io"  puts the password in the history file ( not good at all ).  We are in a strongly monitored system so cleaning up the history file may not work so well.  I need to find a way to change the root password without the password showing up in the history file

Cross platform is best however a Linux only solution would help a big bunch.

thx

timfox123
0
Comment
Question by:TIMFOX123
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 31

Accepted Solution

by:
farzanj earned 500 total points
ID: 39164452
Put root password in a file.

vi passfile

#And put password in this file

chmod 400 passfile

pw=$(<passfile)

echo $pw | passwd --stdin

Open in new window

0
 
LVL 19

Expert Comment

by:jools
ID: 39164570
what do you use to manage the environment?
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39164682
Using --stdin as farzanj suggested is one of the simpler options, though if you want to keep it out of the history file you obviously don't want to use echo to write the password file -- so use a basic text editor.

Assuming you're doing this from a central admin machine and you want the same password to be set on all machines, it may be faster to use a distributable shell script. Something like:

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

Open in new window

Clearing IFS and setting PATH are always good security practice, and "set +x" ensures the following commands will not display in the terminal when the script is run.

chmod it to 500 and distribute it to /root/ on the machines requiring an update, run it, delete it.

For older machines you could manually update the /etc/passwd file with a pre-hashed value to avoid ever transmitting it in plain text, but that's significantly more complicated on newer systems using /etc/shadow.

There's also the simple manual solution. If you just run "passwd" or "passwd root" it should prompt you for further input, which won't be logged to the history file.

All of the above methods (except for the manual /etc/passwd update) will log that a password change has occurred in syslog, but should keep the history file clean.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:TIMFOX123
ID: 39173290
I have tried this and I can not get it to work

#!/bin/sh
IFS=
PATH=/usr/sbin:/usr/bin:/sbin:/bin
set +x
passwd root <password_here>

  What would be better is if I could pass a $1 as the password because our tool will let me send arguments to a script.
0
 
LVL 19

Expert Comment

by:jools
ID: 39173348
What do you use to manage your environment?
0
 

Author Comment

by:TIMFOX123
ID: 39173411
I can not really answer that.

Sorry
0
 
LVL 3

Expert Comment

by:GhostInTheMacheen
ID: 39173688
Unfortunately, if you pass $1 you are right back to passing the password in plain text (and adding it to the history file if you are using an ssh console). Though you could write a script to write the script based on $1... something like
#!/bin/sh
password=${1}
echo "
#!/bin/sh
...begin output script here...
passwd ${password}
...end output script...
" >/path/to/output/file.sh

Open in new window


There's a nicer way to do that with "cat<<EOF" but I wanted to keep the example simple.

I have tried this and I can not get it to work

What specifically isn't working? Could you paste an error log?

Since you didn't list a specific platform I went with sh commands common to the Linux systems I use every day, but I'm happy to try and assist at a platform specific level if I can.
0
 
LVL 19

Expert Comment

by:jools
ID: 39174579
shame, if you used something like opsware (HPSA) then you could setup a script with a custom attribute and then execute it on all the hosts, you could even do something generic for all the *nix platforms.

how many systems are we talking about?
Are they all networked?
Do they all have the same password set at the moment?
Can you connect via ssh?

you could probably still run something from a central location, if you dont have root ssh access it may be difficult but I'm guessing on your setup.

If all the servers had access to a central server they could possibly download a file (http/nfs??) with a password then use it's contents before deleting it. A sort of combination of all the above if you like.

Depends how secure you want to get?!
0
 

Author Comment

by:TIMFOX123
ID: 39197167
passwd  << EOF
password1
password1
EOF
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question