Re: [Spacewalk-list] change root password for all machines in a group
On Wed, 2010-02-03 at 21:58 -0600, Daniel Wittenberg wrote: > Could you just push a script to /etc/cron.daily so it'll run auto, and have > it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass > anything in the clear ? > Technically, you'd want to use an 'at' job rather than cron for this, but that's nothing that Spacewalk's remote command isn't giving you already. The issue is how to get the new password to the box while: a) transmitting it such that it cannot be seen on the command line on the remote box b) safely updating the entry in /etc/shadow with minimal risk of hosing the file c) not putting it in cleartext anywhere that it can be logged by either Spacewalk or the client machine Personally, I'd just use sed on /etc/shadow, but I've been using Linux for over a decade and UNIX for about 2 (decades). So I'm careful and cautious about what I recommend. I won't recommend sed-ding the shadow file to others unless they feel comfortable about doing it... -I ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
I would hope that the person running the Spacewalk/Satellite server was competent enough to test out changes to shadow before pushing them... If the person running your management server is careless you've got bigger problems. Jeffrey. On Wed, Feb 3, 2010 at 10:08 PM, Colin Coe wrote: > I get really nervous when people hack around in /etc/shadow. I've had > to fix more than one machine after someone who thought they knew what > they were doing was let loose. > > ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
I get really nervous when people hack around in /etc/shadow. I've had to fix more than one machine after someone who thought they knew what they were doing was let loose. CC On 2/4/10, Daniel Wittenberg wrote: > Could you just push a script to /etc/cron.daily so it'll run auto, and have > it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass > anything in the clear ? > > Dan > > > On Feb 3, 2010, at 9:52 PM, Ian Forde wrote: > > > On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: > >> Shouldn't this be > >> > >> echo 'new_password' | passwd --stdin root > >> > >> You could do this simply with a remote command via the SSM. Just > >> remember that this will be in the spacewalk events for those servers > >> so if you have people with access to spacewalk that shouldn't know the > >> password, they'll be able to find it out. > > > > Actually, for a decent safe option, you can try this as a procedure: > > > > 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root > > and perms 0400. This file will contain the plaintext of the new > > password. > > 2. Use a remote command (since you can make it a script) as such: > > > > #!/bin/bash > > cat /tmp/.newrootpasswd | passwd --stdin > > rm -f /tmp/.newrootpasswd > > > > Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet > > (item #3 in Brainbox), so you can't do it all in one step. Another way, > > however, would be to do it all in a script that retrieved the textfile > > and ran 'passwd --stdin'. The idea is to keep the password off of the > > command line. > > > > Of course, if the passwd command accepted encrypted passwords when used > > with stdin, we wouldn't have this issue. Sort of... (I don't even like > > putting encrypted strings out there.) > > > >> From a security perspective, I think it's about finding a safe way to > > get the password string to the client box, avoiding displaying it on the > > clients' command line and risking exposure on the filesystem. > > > > -I > > > > ___ > > Spacewalk-list mailing list > > Spacewalk-list@redhat.com > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > -- RHCE#805007969328369 ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass anything in the clear ? Dan On Feb 3, 2010, at 9:52 PM, Ian Forde wrote: > On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: >> Shouldn't this be >> >> echo 'new_password' | passwd --stdin root >> >> You could do this simply with a remote command via the SSM. Just >> remember that this will be in the spacewalk events for those servers >> so if you have people with access to spacewalk that shouldn't know the >> password, they'll be able to find it out. > > Actually, for a decent safe option, you can try this as a procedure: > > 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root > and perms 0400. This file will contain the plaintext of the new > password. > 2. Use a remote command (since you can make it a script) as such: > > #!/bin/bash > cat /tmp/.newrootpasswd | passwd --stdin > rm -f /tmp/.newrootpasswd > > Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet > (item #3 in Brainbox), so you can't do it all in one step. Another way, > however, would be to do it all in a script that retrieved the textfile > and ran 'passwd --stdin'. The idea is to keep the password off of the > command line. > > Of course, if the passwd command accepted encrypted passwords when used > with stdin, we wouldn't have this issue. Sort of... (I don't even like > putting encrypted strings out there.) > >> From a security perspective, I think it's about finding a safe way to > get the password string to the client box, avoiding displaying it on the > clients' command line and risking exposure on the filesystem. > > -I > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: > Shouldn't this be > > echo 'new_password' | passwd --stdin root > > You could do this simply with a remote command via the SSM. Just > remember that this will be in the spacewalk events for those servers > so if you have people with access to spacewalk that shouldn't know the > password, they'll be able to find it out. Actually, for a decent safe option, you can try this as a procedure: 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root and perms 0400. This file will contain the plaintext of the new password. 2. Use a remote command (since you can make it a script) as such: #!/bin/bash cat /tmp/.newrootpasswd | passwd --stdin rm -f /tmp/.newrootpasswd Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet (item #3 in Brainbox), so you can't do it all in one step. Another way, however, would be to do it all in a script that retrieved the textfile and ran 'passwd --stdin'. The idea is to keep the password off of the command line. Of course, if the passwd command accepted encrypted passwords when used with stdin, we wouldn't have this issue. Sort of... (I don't even like putting encrypted strings out there.) >From a security perspective, I think it's about finding a safe way to get the password string to the client box, avoiding displaying it on the clients' command line and risking exposure on the filesystem. -I ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
Shouldn't this be echo 'new_password' | passwd --stdin root You could do this simply with a remote command via the SSM. Just remember that this will be in the spacewalk events for those servers so if you have people with access to spacewalk that shouldn't know the password, they'll be able to find it out. CC On 2/4/10, Edwind Richzendy Contreras Soto wrote: > 2010/2/4 Jeffrey Watts : > > I think he means /etc/shadow. > > Sorry, my mistake, really is a /etc/shadow > > can send to execute in all machines ( how root ): > > echo "fedora" | passwd -d root > /dev/null > > and shall have the root password fedora > > > There are several approaches, one would be to > > script the 'passwd' command, using expect or something like it. The > > downside is that you'll need to have the password in plain text in the > > script. You could then use Spacewalk to run the script remotely. This is > > probably what I'd do, but make sure you test it thoroughly first, as if you > > screw it up you might make your systems inaccessible. > > > > Another option would be to copy the password hash from a system where you've > > set that password, and then write a script to edit /etc/shadow on a target > > system and replace the old string with the new one. > > > > Finally, if your systems are all homogeneous, you can simply push out a new > > shadow file with the updated hash. Most people won't be in this situation. > > > > Jeffrey. > > > > On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto > > wrote: > >> > >> 2010/2/4 Michiel van Es : > >> > Hi, > >> > > >> > Is it possible to change the root password on all machines in a group? > >> > We want to change the root password for al lot of systems, we thought > >> > perhaps is spacewalk of some use (since you can install packages, reboot > >> > the > >> > machines) > >> > > >> > Is such an option possible through spacewalk? > >> > > >> > Kind regards, > >> > > >> > Michiel > >> > >> if it generates a new file / etc / passwd and charges through the area > >> concerning configuration files (perhaps your user role does not allow > >> you to do this) and only select group of systems the option to work > >> with group and send him to send the configuration file to all > >> computers SSM. > >> > >> Another option is through a small script using sed-i editing the file > >> / etc / passwd directly on each machine together (SSM). > >> > > > > ___ > > Spacewalk-list mailing list > > Spacewalk-list@redhat.com > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > -- RHCE#805007969328369 ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
2010/2/4 Jeffrey Watts : > I think he means /etc/shadow. Sorry, my mistake, really is a /etc/shadow can send to execute in all machines ( how root ): echo "fedora" | passwd -d root > /dev/null and shall have the root password fedora > There are several approaches, one would be to > script the 'passwd' command, using expect or something like it. The > downside is that you'll need to have the password in plain text in the > script. You could then use Spacewalk to run the script remotely. This is > probably what I'd do, but make sure you test it thoroughly first, as if you > screw it up you might make your systems inaccessible. > > Another option would be to copy the password hash from a system where you've > set that password, and then write a script to edit /etc/shadow on a target > system and replace the old string with the new one. > > Finally, if your systems are all homogeneous, you can simply push out a new > shadow file with the updated hash. Most people won't be in this situation. > > Jeffrey. > > On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto > wrote: >> >> 2010/2/4 Michiel van Es : >> > Hi, >> > >> > Is it possible to change the root password on all machines in a group? >> > We want to change the root password for al lot of systems, we thought >> > perhaps is spacewalk of some use (since you can install packages, reboot >> > the >> > machines) >> > >> > Is such an option possible through spacewalk? >> > >> > Kind regards, >> > >> > Michiel >> >> if it generates a new file / etc / passwd and charges through the area >> concerning configuration files (perhaps your user role does not allow >> you to do this) and only select group of systems the option to work >> with group and send him to send the configuration file to all >> computers SSM. >> >> Another option is through a small script using sed-i editing the file >> / etc / passwd directly on each machine together (SSM). >> > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
I think he means /etc/shadow. There are several approaches, one would be to script the 'passwd' command, using expect or something like it. The downside is that you'll need to have the password in plain text in the script. You could then use Spacewalk to run the script remotely. This is probably what I'd do, but make sure you test it thoroughly first, as if you screw it up you might make your systems inaccessible. Another option would be to copy the password hash from a system where you've set that password, and then write a script to edit /etc/shadow on a target system and replace the old string with the new one. Finally, if your systems are all homogeneous, you can simply push out a new shadow file with the updated hash. Most people won't be in this situation. Jeffrey. On Wed, Feb 3, 2010 at 10:51 AM, Edwind Richzendy Contreras Soto < richze...@gmail.com> wrote: > 2010/2/4 Michiel van Es : > > Hi, > > > > Is it possible to change the root password on all machines in a group? > > We want to change the root password for al lot of systems, we thought > > perhaps is spacewalk of some use (since you can install packages, reboot > the > > machines) > > > > Is such an option possible through spacewalk? > > > > Kind regards, > > > > Michiel > > if it generates a new file / etc / passwd and charges through the area > concerning configuration files (perhaps your user role does not allow > you to do this) and only select group of systems the option to work > with group and send him to send the configuration file to all > computers SSM. > > Another option is through a small script using sed-i editing the file > / etc / passwd directly on each machine together (SSM). > > ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
Maybe schedule a script that does: echo "root:" | chpasswd -Original Message- From: spacewalk-list-boun...@redhat.com [mailto:spacewalk-list-boun...@redhat.com] On Behalf Of Michiel van Es Sent: 03 February 2010 16:39 To: spacewalk-list@redhat.com Subject: [Spacewalk-list] change root password for all machines in a group Hi, Is it possible to change the root password on all machines in a group? We want to change the root password for al lot of systems, we thought perhaps is spacewalk of some use (since you can install packages, reboot the machines) Is such an option possible through spacewalk? Kind regards, Michiel ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list ** Please consider the environment before printing this email or its attachments. The contents of this email are for the named addressees only. It contains information which may be confidential and privileged. If you are not the intended recipient, please notify the sender immediately, destroy this email and any attachments and do not otherwise disclose or use them. Email transmission is not a secure method of communication and Man Investments cannot accept responsibility for the completeness or accuracy of this email or any attachments. Whilst Man Investments makes every effort to keep its network free from viruses, it does not accept responsibility for any computer virus which might be transferred by way of this email or any attachments. This email does not constitute a request, offer, recommendation or solicitation of any kind to buy, subscribe, sell or redeem any investment instruments or to perform other such transactions of any kind. Man Investments reserves the right to monitor, record and retain all electronic communications through its network ! to ensure the integrity of its systems, for record keeping and regulatory purposes. Visit us at: www.maninvestments.com TG0908 ** ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
Re: [Spacewalk-list] change root password for all machines in a group
2010/2/4 Michiel van Es : > Hi, > > Is it possible to change the root password on all machines in a group? > We want to change the root password for al lot of systems, we thought > perhaps is spacewalk of some use (since you can install packages, reboot the > machines) > > Is such an option possible through spacewalk? > > Kind regards, > > Michiel if it generates a new file / etc / passwd and charges through the area concerning configuration files (perhaps your user role does not allow you to do this) and only select group of systems the option to work with group and send him to send the configuration file to all computers SSM. Another option is through a small script using sed-i editing the file / etc / passwd directly on each machine together (SSM). > > ___ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > ___ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list
