[Spacewalk-list] change root password for all machines in a group
Colin Coe
colin.coe at gmail.com
Thu Feb 4 04:08:43 UTC 2010
I get really nervous when people hack around in /etc/shadow. I've had
to fix more than one machine after someone who thought they knew what
they were doing was let loose.
CC
On 2/4/10, Daniel Wittenberg <dwittenberg2008 at gmail.com> wrote:
> Could you just push a script to /etc/cron.daily so it'll run auto, and have it replace the md5 crypted pass in /etc/shadow? Then you don't have to pass anything in the clear ?
>
> Dan
>
>
> On Feb 3, 2010, at 9:52 PM, Ian Forde wrote:
>
> > On Thu, 2010-02-04 at 10:14 +0800, Colin Coe wrote:
> >> Shouldn't this be
> >>
> >> echo 'new_password' | passwd --stdin root
> >>
> >> You could do this simply with a remote command via the SSM. Just
> >> remember that this will be in the spacewalk events for those servers
> >> so if you have people with access to spacewalk that shouldn't know the
> >> password, they'll be able to find it out.
> >
> > Actually, for a decent safe option, you can try this as a procedure:
> >
> > 1. Push a new file called /tmp/.newrootpasswd and set it to be root:root
> > and perms 0400. This file will contain the plaintext of the new
> > password.
> > 2. Use a remote command (since you can make it a script) as such:
> >
> > #!/bin/bash
> > cat /tmp/.newrootpasswd | passwd --stdin
> > rm -f /tmp/.newrootpasswd
> >
> > Unfortunately, Spacewalk (AFAIK) doesn't support file push triggers yet
> > (item #3 in Brainbox), so you can't do it all in one step. Another way,
> > however, would be to do it all in a script that retrieved the textfile
> > and ran 'passwd --stdin'. The idea is to keep the password off of the
> > command line.
> >
> > Of course, if the passwd command accepted encrypted passwords when used
> > with stdin, we wouldn't have this issue. Sort of... (I don't even like
> > putting encrypted strings out there.)
> >
> >> From a security perspective, I think it's about finding a safe way to
> > get the password string to the client box, avoiding displaying it on the
> > clients' command line and risking exposure on the filesystem.
> >
> > -I
> >
> > _______________________________________________
> > Spacewalk-list mailing list
> > Spacewalk-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/spacewalk-list
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
--
RHCE#805007969328369
More information about the Spacewalk-list
mailing list