I get really nervous when people hack around in /etc/shadow. I've had to fix more than one machine after someone who thought they knew what they were doing was let loose.
CC On 2/4/10, Daniel Wittenberg <dwittenberg2...@gmail.com> wrote: > Could you just push a script to /etc/cron.daily so it'll run auto, and have > it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass > anything in the clear ? > > Dan > > > On Feb 3, 2010, at 9:52 PM, Ian Forde wrote: > > > On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote: > >> Shouldn't this be > >> > >> echo 'new_password' | passwd --stdin root > >> > >> You could do this simply with a remote command via the SSM. Just > >> remember that this will be in the spacewalk events for those servers > >> so if you have people with access to spacewalk that shouldn't know the > >> password, they'll be able to find it out. > > > > Actually, for a decent safe option, you can try this as a procedure: > > > > 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root > > and perms 0400. This file will contain the plaintext of the new > > password. > > 2. Use a remote command (since you can make it a script) as such: > > > > #!/bin/bash > > cat /tmp/.newrootpasswd | passwd --stdin > > rm -f /tmp/.newrootpasswd > > > > Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet > > (item #3 in Brainbox), so you can't do it all in one step. Another way, > > however, would be to do it all in a script that retrieved the textfile > > and ran 'passwd --stdin'. The idea is to keep the password off of the > > command line. > > > > Of course, if the passwd command accepted encrypted passwords when used > > with stdin, we wouldn't have this issue. Sort of... (I don't even like > > putting encrypted strings out there.) > > > >> From a security perspective, I think it's about finding a safe way to > > get the password string to the client box, avoiding displaying it on the > > clients' command line and risking exposure on the filesystem. > > > > -I > > > > _______________________________________________ > > Spacewalk-list mailing list > > Spacewalk-list@redhat.com > > https://www.redhat.com/mailman/listinfo/spacewalk-list > > > _______________________________________________ > Spacewalk-list mailing list > Spacewalk-list@redhat.com > https://www.redhat.com/mailman/listinfo/spacewalk-list > -- RHCE#805007969328369 _______________________________________________ Spacewalk-list mailing list Spacewalk-list@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-list