Re: [Spacewalk-list] change root password for all machines in a group
On Wed, 2010-02-03 at 21:58 -0600, Daniel Wittenberg wrote: Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass anything in the clear ? Technically, you'd want to use an 'at' job rather than cron for this, but that's nothing that Spacewalk's remote command isn't giving you already. The issue is how to get the new password to the box while: a) transmitting it such that it cannot be seen on the command line on the remote box b) safely updating the entry in /etc/shadow with minimal risk of hosing the file c) not putting it in cleartext anywhere that it can be logged by either Spacewalk or the client machine Personally, I'd just use sed on /etc/shadow, but I've been using Linux for over a decade and UNIX for about 2 (decades). So I'm careful and cautious about what I recommend. I won't recommend sed-ding the shadow file to others unless they feel comfortable about doing it... -I ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
2010/2/4 Michiel van Es michi...@info.nl: Hi, Is it possible to change the root password on all machines in a group? We want to change the root password for al lot of systems, we thought perhaps is spacewalk of some use (since you can install packages, reboot the machines) Is such an option possible through spacewalk? Kind regards, Michiel if it generates a new file / etc / passwd and charges through the area concerning configuration files (perhaps your user role does not allow you to do this) and only select group of systems the option to work with group and send him to send the configuration file to all computers SSM. Another option is through a small script using sed-i editing the file / etc / passwd directly on each machine together (SSM). ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
I think he means /etc/shadow. There are several approaches, one would be to script the 'passwd' command, using expect or something like it. The downside is that you'll need to have the password in plain text in the script. You could then use Spacewalk to run the script remotely. This is probably what I'd do, but make sure you test it thoroughly first, as if you screw it up you might make your systems inaccessible. Another option would be to copy the password hash from a system where you've set that password, and then write a script to edit /etc/shadow on a target system and replace the old string with the new one. Finally, if your systems are all homogeneous, you can simply push out a new shadow file with the updated hash. Most people won't be in this situation. Jeffrey. On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto richze...@gmail.com wrote: 2010/2/4 Michiel van Es michi...@info.nl: Hi, Is it possible to change the root password on all machines in a group? We want to change the root password for al lot of systems, we thought perhaps is spacewalk of some use (since you can install packages, reboot the machines) Is such an option possible through spacewalk? Kind regards, Michiel if it generates a new file / etc / passwd and charges through the area concerning configuration files (perhaps your user role does not allow you to do this) and only select group of systems the option to work with group and send him to send the configuration file to all computers SSM. Another option is through a small script using sed-i editing the file / etc / passwd directly on each machine together (SSM). ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
2010/2/4 Jeffrey Watts jeffrey.w.wa...@gmail.com: I think he means /etc/shadow. Sorry, my mistake, really is a /etc/shadow can send to execute in all machines ( how root ): echo fedora | passwd -d root /dev/null and shall have the root password fedora There are several approaches, one would be to script the 'passwd' command, using expect or something like it. The downside is that you'll need to have the password in plain text in the script. You could then use Spacewalk to run the script remotely. This is probably what I'd do, but make sure you test it thoroughly first, as if you screw it up you might make your systems inaccessible. Another option would be to copy the password hash from a system where you've set that password, and then write a script to edit /etc/shadow on a target system and replace the old string with the new one. Finally, if your systems are all homogeneous, you can simply push out a new shadow file with the updated hash. Most people won't be in this situation. Jeffrey. On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto richze...@gmail.com wrote: 2010/2/4 Michiel van Es michi...@info.nl: Hi, Is it possible to change the root password on all machines in a group? We want to change the root password for al lot of systems, we thought perhaps is spacewalk of some use (since you can install packages, reboot the machines) Is such an option possible through spacewalk? Kind regards, Michiel if it generates a new file / etc / passwd and charges through the area concerning configuration files (perhaps your user role does not allow you to do this) and only select group of systems the option to work with group and send him to send the configuration file to all computers SSM. Another option is through a small script using sed-i editing the file / etc / passwd directly on each machine together (SSM). ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
Shouldn't this be echo 'new_password' | passwd --stdin root You could do this simply with a remote command via the SSM. Just remember that this will be in the spacewalk events for those servers so if you have people with access to spacewalk that shouldn't know the password, they'll be able to find it out. CC On 2/4/10, Edwind Richzendy Contreras Soto richze...@gmail.com wrote: 2010/2/4 Jeffrey Watts jeffrey.w.wa...@gmail.com: I think he means /etc/shadow. Sorry, my mistake, really is a /etc/shadow can send to execute in all machines ( how root ): echo fedora | passwd -d root /dev/null and shall have the root password fedora There are several approaches, one would be to script the 'passwd' command, using expect or something like it. The downside is that you'll need to have the password in plain text in the script. You could then use Spacewalk to run the script remotely. This is probably what I'd do, but make sure you test it thoroughly first, as if you screw it up you might make your systems inaccessible. Another option would be to copy the password hash from a system where you've set that password, and then write a script to edit /etc/shadow on a target system and replace the old string with the new one. Finally, if your systems are all homogeneous, you can simply push out a new shadow file with the updated hash. Most people won't be in this situation. Jeffrey. On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto richze...@gmail.com wrote: 2010/2/4 Michiel van Es michi...@info.nl: Hi, Is it possible to change the root password on all machines in a group? We want to change the root password for al lot of systems, we thought perhaps is spacewalk of some use (since you can install packages, reboot the machines) Is such an option possible through spacewalk? Kind regards, Michiel if it generates a new file / etc / passwd and charges through the area concerning configuration files (perhaps your user role does not allow you to do this) and only select group of systems the option to work with group and send him to send the configuration file to all computers SSM. Another option is through a small script using sed-i editing the file / etc / passwd directly on each machine together (SSM). ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list -- RHCE#805007969328369 ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: Shouldn't this be echo 'new_password' | passwd --stdin root You could do this simply with a remote command via the SSM. Just remember that this will be in the spacewalk events for those servers so if you have people with access to spacewalk that shouldn't know the password, they'll be able to find it out. Actually, for a decent safe option, you can try this as a procedure: 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root and perms 0400. This file will contain the plaintext of the new password. 2. Use a remote command (since you can make it a script) as such: #!/bin/bash cat /tmp/.newrootpasswd | passwd --stdin rm -f /tmp/.newrootpasswd Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet (item #3 in Brainbox), so you can't do it all in one step. Another way, however, would be to do it all in a script that retrieved the textfile and ran 'passwd --stdin'. The idea is to keep the password off of the command line. Of course, if the passwd command accepted encrypted passwords when used with stdin, we wouldn't have this issue. Sort of... (I don't even like putting encrypted strings out there.) From a security perspective, I think it's about finding a safe way to get the password string to the client box, avoiding displaying it on the clients' command line and risking exposure on the filesystem. -I ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass anything in the clear ? Dan On Feb 3, 2010, at 9:52 PM, Ian Forde wrote: On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: Shouldn't this be echo 'new_password' | passwd --stdin root You could do this simply with a remote command via the SSM. Just remember that this will be in the spacewalk events for those servers so if you have people with access to spacewalk that shouldn't know the password, they'll be able to find it out. Actually, for a decent safe option, you can try this as a procedure: 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root and perms 0400. This file will contain the plaintext of the new password. 2. Use a remote command (since you can make it a script) as such: #!/bin/bash cat /tmp/.newrootpasswd | passwd --stdin rm -f /tmp/.newrootpasswd Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet (item #3 in Brainbox), so you can't do it all in one step. Another way, however, would be to do it all in a script that retrieved the textfile and ran 'passwd --stdin'. The idea is to keep the password off of the command line. Of course, if the passwd command accepted encrypted passwords when used with stdin, we wouldn't have this issue. Sort of... (I don't even like putting encrypted strings out there.) From a security perspective, I think it's about finding a safe way to get the password string to the client box, avoiding displaying it on the clients' command line and risking exposure on the filesystem. -I ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
I would hope that the person running the Spacewalk/Satellite server was competent enough to test out changes to shadow before pushing them... If the person running your management server is careless you've got bigger problems. Jeffrey. On Wed, Feb 3, 2010 at 10:08 PM, Colin Coe colin@gmail.com wrote: I get really nervous when people hack around in /etc/shadow. I've had to fix more than one machine after someone who thought they knew what they were doing was let loose. ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
