[Spacewalk-list] change root password for all machines in a group
Daniel Wittenberg
dwittenberg2008 at gmail.com
Thu Feb 4 03:58:57 UTC 2010
Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass anything in the clear ?
Dan
On Feb 3, 2010, at 9:52 PM, Ian Forde wrote:
> On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote:
>> Shouldn't this be
>>
>> echo 'new_password' | passwd --stdin root
>>
>> You could do this simply with a remote command via the SSM. Just
>> remember that this will be in the spacewalk events for those servers
>> so if you have people with access to spacewalk that shouldn't know the
>> password, they'll be able to find it out.
>
> Actually, for a decent safe option, you can try this as a procedure:
>
> 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root
> and perms 0400. This file will contain the plaintext of the new
> password.
> 2. Use a remote command (since you can make it a script) as such:
>
> #!/bin/bash
> cat /tmp/.newrootpasswd | passwd --stdin
> rm -f /tmp/.newrootpasswd
>
> Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet
> (item #3 in Brainbox), so you can't do it all in one step. Another way,
> however, would be to do it all in a script that retrieved the textfile
> and ran 'passwd --stdin'. The idea is to keep the password off of the
> command line.
>
> Of course, if the passwd command accepted encrypted passwords when used
> with stdin, we wouldn't have this issue. Sort of... (I don't even like
> putting encrypted strings out there.)
>
>> From a security perspective, I think it's about finding a safe way to
> get the password string to the client box, avoiding displaying it on the
> clients' command line and risking exposure on the filesystem.
>
> -I
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list