SUMMARY Part II: changing root password

From: Leo Crombach (lcrombach@tropel.com)
Date: Mon Mar 09 1998 - 16:21:18 CST


A couple of people have requested some of the information that I received
regarding the methods to update the root password on a large number of
workstations. Following are some of the more detailed responses. My
apologies for not including this information in my first summary.

*************************************************************************
>From Michael Sullivan:

Use the passmass script that comes with expect.
For information about expect see: http://expect.nist.gov/

*************************************************************************
>From Karl Vogel:

 Your best bet is to get the "expect" package. You can automate any
 interactive process with it.

   ftp://ftp.cme.nist.gov/pub/subject/expect/expect.tar.gz
   ftp://ftp.cme.nist.gov/pub/subject/expect/tcl.tar.gz

*************************************************************************
>From David Thorburn-Gundlach:

I'd probably cheat and paste (with sed) a pre-encrypted passwd into
the pass field in root's entry in the shadow file, but I'm lazy. If I
really wanted to do it write, I'd get expect (if I didn't have it
already) and write a script to do it, thereby generating a fresh
encryption for each machine as an added bonus.

Note that the latter method is required in an instance where you have
more than just the pass filed in /etc/shadow, as in a secure NIS+
environment...

*************************************************************************
>From Ozgur Erk:

First I will put a .rhosts in root's home directory in all clients (by
hand unfortunately). That file would certainly contain my computer's name.
Than I would be able to do anything I like with scripts like this:

#!/usr/bin/sh
#TIMESET of mycompany
 
Erlog=/tmp/log1
cp /dev/null $Erlog
exec >>$Erlog 2>&1

for host in `/timehosts` #Sorry you need to write names of all hosts in
                         #this file
do
        if ping $host 1 >/dev/null
        then
                TIME=`date '+%m%d%H%M'`
                echo $host
                rsh -n $host "date $TIME"
                         #This is the point. Write anything between"" and
                         #see them executed in all other computers.
        fi
done

mailx -s "TIME" sysadm < $Erlog

*************************************************************************
>From Nicky Ayoub:

If you know perl, rsh is enabled for root on the 80+, and a shared mount
point ( like your home ) exists on the 80+, then you could write a script
that searches for ^root: and replaces the second ":" delimited field with a
password already generated.

#!/bin/perl -pi.orig
$newpass = "sdfvs23.242" # this value is generated by using passwd on one
system
while (<>) {
            if (/^root:/) {
                @root = split(':');
                $root[1] = $newpass;
                print join(':', @root);
            } else {
                print $_;
        }
}

NOTE: This was all typed by memory without testing!!!! Please use this as a
template to begin creating the script you need. You could actually have it
open /etc/passwd rather than using stdin like I have. I just wanted to give
you the idea. I remember having a shorter one about 3 years back to do the
same thing but my perl is rusty now... I'll look around for it.

*************************************************************************
>From Kurt Werth:

Assuming that you're going to make the password the same on
all of the machines, and that they are all standalones, you
could do this: Make 1 machine trusted to all the rest and rsh
a command out to each machine to replace the old encrypted string
with the new using vi, ie:

        rsh sun1 "vipw /etc/passwd </home/user/vi.script"
        
where vi.script looks something like this:

        :g/root/s//root:new_encrypted_string/g
        /:
        /:
        14x
        :wq!
        
Of course you'll need to replace "passwd" with "shadow" above
if you're doing this on a solaris machine. You may also want to
make a copy the old passwd/shadow file just in case.

*************************************************************************
Finally, from Rich Pieri - some sound advice:

I would do it manually, because a bug that created the wrong password data,
or corrupted the password file, on 80+ machines would be catastrophic. I
would not want to risk that.

****************************************************************

Leo Crombach System / Network Administrator
Tropel Corporation Phone: (716) 388-3566
60 O'Connor Road Email: lcrombach@tropel.com
Fairport, New York 14450 URL: http://www.tropel.com

****************************************************************



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:33 CDT