[Spacewalk-list] Deploy a root password change
Andy Ingham
andy.ingham at duke.edu
Wed Aug 26 13:31:03 UTC 2015
My suggestion would be *ansible*Š
>From a post I sent back in April, the following has worked quite well for
us:
Changing root passwords across the plant via ansible:
Create a pseudo-random salt to use for the password hashing:
[root at HOSTXYZ ~]# python
>>> import os
>>> os.urandom(32).encode('base_64')
'+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/NpLcyJDE=\n'
The output of the step above provides the INPUT for the next set of
commands (see right AFTER "$1$" below)
Create a hash of the new password using python's crypt function (see
also
http://mjanja.co.ke/2013/01/generate-salted-shadow-hashes-using-python-crypt
/ ). E.g.:
>>> import crypt
>>>
crypt.crypt("mysupertoughpassword",'$1$+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/N
pLcyJDE=\n')
'$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0'
>>> quit()
The output of the step above allows for the needed INPUT to ansible
below:
ansible HOSTS_LISTED_HERE -m user -a 'name=root
password=$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0' -K --sudo
From: <spacewalk-list-bounces at redhat.com> on behalf of J Epperson
<spacewalk at epperson.homelinux.net>
Reply-To: "Spacewalk-list at redhat.com" <Spacewalk-list at redhat.com>
Date: Tuesday, August 25, 2015 at 8:57 PM
To: "Spacewalk-list at redhat.com" <Spacewalk-list at redhat.com>
Subject: Re: [Spacewalk-list] Deploy a root password change
I've always done this with "usermod -p", using the crypted password string.
But that's probably not actually any more secure than echoing to "passwd
--stdin".
On 2015-08-25 16:50, Steve Meier wrote:
> Hello,
>
> using sed on your /etc/shadow is a very harsh way to do it. On Red Hat
> the passwd command supports the --stdin parameter which is much cleaner
>
> echo supersecret | passwd --stdin root
>
> Run this as a remote action and you are good.
>
> Alternatively, you can create a dummy RPM where this is a %post action
> and deploy this RPM. This should work as well and the version of that
> dummy RPM will actually give you a hint on which of your rotated
> passwords
> it is.
>
> Kind regards,
> Steve
>
> Am 2015-08-25 22:24, schrieb Justin Edmands:
>> You change the root pw on one machine, grab the /etc/shadow entry, and sed
>> replace the root line in the shadow file into a remote command to whatever
>> systems you need to change.
>>> On Aug 25, 2015, at 4:13 PM, Franky Van Liedekerke <liedekef at telenet.be>
>>> wrote: On Tue, 25 Aug 2015 19:45:06 +0000 "Armstrong, Kenneth Lawrence
>>> (SYSADMIN)" <klarmstrong2 at liberty.edu> wrote:
>>>> Is there a way to deploy a root password change to a group of servers in
>>>> Satellite 5.6? I imagine something like this might be possible in Satellite
>>>> 6.x, but we don¹t have that deployed yet.
>>> Since spacewalk only has the root-pwd there for kickstart I don't think that
>>> is possible. I don't know if this helps, but: loop through your servers, do
>>> sudo and: echo "root:newpass"|chpasswd I know, it is not the config-method
>>> you're looking for (puppet, ansible), but sometimes the simplest things are
>>> sufficient too ... Franky _______________________________________________
>>> Spacewalk-list mailing list Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> _______________________________________________ Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
> _______________________________________________
> Spacewalk-list mailing list
>
Spacewalk-list at redhat.comhttps://www.redhat.com/mailman/listinfo/spacewalk-lis>
t
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150826/200ba16c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6164 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150826/200ba16c/attachment.p7s>
More information about the Spacewalk-list
mailing list