How to Script Automated Root Password Changes?

Question

Currently our process consists of logging into each *nix server and manually changing the password for each. My question is, what is a good way to automate this? I'm thinking of possibly a couple different ways to do this and would like input from others on what they recommend, use, etc.

One way I was thinking is a text file with a list of servers that need the password change and a script that prompts the user for the new password, stores it temporarily in the script and then remote connects into each server and runs the commands. Having a check to make sure the server is reachable or a timeout on the remote connection would be a good idea. Then have output to the console so the person running the script can see what servers were successful and which ones were not.

I was trying to think of another fully automated solution, but couldn't think of a good way to securely store the new password. Plus it is not a huge deal to me to have some user interaction and have to manually start the script as we only would need to do this 6 times a year.

Any thoughts, help, ideas would be greatly appeciated.

Answer 1

You should compute whatever hash are your servers computing on a password and send passwords in this secured, hashed form, ready to put into /etc/shadow.

I do not know however how to do that in practice.

Answer 2

openssl passwd -1 $rootpw

Where $rootpw holds the string that will be your root password.

This will output a crypted string that you can just put in the file or whatever. I use this on a script that sets up virtual server instances that are provisioned from a database. I compute this hash before sending it over the network so the script that sets up the server can just use this hash instead of having to send it plain text.

To answer your question, each server would compute the hash slightly differently and result in a different hash, but all of those hashes would equate to the same password. You could use any one of these hashes and they would be functionally equivalent when used on any server, even though the actual content of the hash is different.

For example, I hashed foobar and these are the results:

rootpw=foobar
openssl passwd -1 $rootpw
$1$6pXamKGD$TKQqON1prArop7DpLOyAk1

openssl passwd -1 $rootpw
$1$4A4Mn16f$P7ap2AqNMRK8m72bG/Bve0

openssl passwd -1 $rootpw
$1$DyhsWEMX$i2wH6JpAqoHNFZ0YOBVHj/

openssl passwd -1 $rootpw
$1$m27FIj5e$LZPxVniAeUoZcuUoNHK8c/

openssl passwd -1 $rootpw
$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0

Each of those hashes are different even when computed on the same machine but any of them can be used to equate to the password 'foobar' on any machine.

So just open /etc/shadow and paste that in there where you find the line:

root:$1$qdX0NKm1$45rzxUj..LCJwWB/.fwGH0:14415:0:99999:7:::

In my script I explode it at the :'s and update element [1] then concatenate the array back to a string and replace the string in the file. You can do it differently if you want, especially if you know the old value (which you can get by exploding it into an array).

I know this question is a few months old so you probably figured it out, but I'm putting this out there for any future googler's coming along and finding this.