[Spacewalk-list] change root password for all machines in a group

Thu Feb 4 03:58:57 UTC 2010

Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow?  Then you don't have to pass anything in the clear ?

Dan

On Feb 3, 2010, at 9:52 PM, Ian Forde wrote:

> On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote:
>> Shouldn't this be
>> 
>> echo 'new_password' | passwd --stdin root
>> 
>> You could do this simply with a remote command via the SSM.  Just
>> remember that this will be in the spacewalk events for those servers
>> so if you have people with access to spacewalk that shouldn't know the
>> password, they'll be able to find it out.
> 
> Actually, for a decent safe option, you can try this as a procedure:
> 
> 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root
> and perms 0400.  This file will contain the plaintext of the new
> password.
> 2. Use a remote command (since you can make it a script) as such:
> 
> #!/bin/bash
> cat /tmp/.newrootpasswd | passwd --stdin
> rm -f /tmp/.newrootpasswd
> 
> Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet
> (item #3 in Brainbox), so you can't do it all in one step.  Another way,
> however, would be to do it all in a script that retrieved the textfile
> and ran 'passwd --stdin'.  The idea is to keep the password off of the
> command line.
> 
> Of course, if the passwd command accepted encrypted passwords when used
> with stdin, we wouldn't have this issue.  Sort of... (I don't even like
> putting encrypted strings out there.)
> 
>> From a security perspective, I think it's about finding a safe way to
> get the password string to the client box, avoiding displaying it on the
> clients' command line and risking exposure on the filesystem.
> 
> 	-I
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list