Hi, Thanks for the many help - I've included most of the good responses below. In particular Mike Salehi & Simon Burr put in a lot of effort with their scripts. Many asked why need a root password if system admins dont need it - well, I dont understand it myself why Cisco's Netflow application requires it & this application would fail to generate network utilization report if root password expires. I guess the scripts provided by Mike & Simon to modify /etc/shadow will extend the root password's expiry by another 30 days (ie the number of days it currently took to expire root password after a new password has been set). My colleague was teasing me that Netflow application running on AIX would still generate report despite the root password on AIX has expired - well, I'm not sure if I should believe him as he's probably an AIX advocate. Thanks G Sun ==================================================== >From : Mike Salehi OK here is my code, you need to strip out a lot you do not need, in this script I have all the passwords and encrypt it and check agains the shadow to see if its ok. = #!/usr/bin/perl $pass=$ARGV[0]; open (PASS,"$pass") || die ("Cannot open $pass"); while ($line = <PASS>){ chomp($line); @info_file=split(/ /,$line); $node=@info_file[0]; $passwd_file=$info_file[1]; $actual_passwd=`/apps/ektools/bin/rcmd -g $node grep root /etc/shadow 2>/dev/ null`; @info_real=split(/:/,$actual_passwd); $passwd_real=$info_real[1]; $salt=substr($passwd_real,0,2); $passwd_real_pass=substr($passwd_real,2,11); $passwd_file_encrypted=crypt($passwd_file,$salt); $passwd_file_encrypted_pass=substr($passwd_file_encrypted,2,11); if($passwd_file_encrypted_pass eq $passwd_real_pass ){ print "\n$node matches the file\n"; } else{ print"\nWarning $node does not match \n"; } } close(PASS); ---------------------------------------------- Hi, For Solaris, there is no way to do this (that I know at least) other than using Expect. TCL/TK is also required as a front end of Expect. Expect comes with a script called autopasswd so you would not need Perl. EP -------------------------------------------------------------------- Hi, Thanks for your offer, but I would rather have a simple Shell script to do this as Expect requires Tcl to be installed. I've tried : # npw="Newpass9" # (echo $npw; echo $npw) | passwd root New Password: (still prompts me for password - so not working) Re-enter new Password: # # # npw="Newpass9\n" (I insert a linefeed character \n) # echo $npw Newpass9 <== there's an extra line now due to \n # (echo $npw; echo $npw) | passwd root New Password: (still prompts for password) Re-enter new Password: # passwd root < echo $npw echo: cannot open Is there no way out other than using Perl & Expect? Thanks G Sun --------------------------------------------------------------------------------------------------- If the admins don't need the root password -- does there even need to BE a root password? No root password = impossible to crack it. otherwise, something like this MIGHT work: (newpass="`generate_pass`"; echo $newpass; echo $newpass) | passwd Wesley W. Garland --------------------------------------------------------------------------------------------------- > Hi, > > We have hardened Solaris boxes where administrators do > not need to know the root password (as we just do 'sudo -s'). > > It's the policy here that all passwords including root's must > expire every 3 months but this created a problem to an > application that would fail if the root password expires. > > I have an idea/solution that the security person is agreeable : > "set up a script in crontab which runs every 90 days to > change the password to a randomly generated password" It looks to me that you'll soon end without root acess at first glance looks like nice feature, but can you check some scenarios where lack of root passwd disable your access to machine what about sudo stop functiong ?? It can be rather dangerous in some DR or accident situations > > I've obtained a standalone tool from a TACACS application > that would generate a different hashed password each time > it's run even though the same fixed string(contained in the > file input.txt) is input into it : > ./generate_pass < input.txt > Password to be encrypted: J58rSyCjtnUhQ > ./generate_pass < input.txt > Password to be encrypted: 2ZwWQZxHplNA. There are some expect tools for passwd handling check at expect.nist.gov Damir ==================================== When it comes to the creation of the random password you shouldn't use the generate_pass command you got from TACACS; I'm guessing that you'll find that the "random string" is actually the plain text password from the input.txt file encrypted using the crypt() function. The reason why its different each time is due to the salting of the DES function - the first two letters of the hashed password indicate the salt used and are passed as is into the crypt() function. Better would be to actually generate a random password each time; you can do this by using nawk (supplied with Solaris): % nawk 'BEGIN { srand(); for(x=0;x<8;x++) { p=p sprintf("%c",int(rand()*77)+40); } print p; }' Alternative if you are using Solaris 9 or have perl installed then you can do everything in a single script: #!/usr/bin/perl -w use strict; my $shadow="/etc/shadow"; my @Salt=("a".."z","A".."Z",0..9,".","/"); my ($uid,$gid)=(stat($shadow))[4,5]; (defined $uid) || die "$0: Failed to stat(\"$shadow\") - $!\n"; my $pass=""; map { $pass=$pass . sprintf("%c",int(rand(93))+33) } (1..8); my $unx=crypt($pass,$Salt[int(rand($#Salt + 1))] . $Salt[int(rand($#Salt + 1))]); open(OLD,$shadow) || die "$0: Failed to open $shadow for reading - $!\n"; open(NEW,">$shadow.new") || die "$0: Failed to open $shadow.new for writing - $!\n"; chmod(0600,"$shadow.new") || die "$0: Failed to chmod(0600,\"$shadow.new\") - $!\n"; while(<OLD>) { s/^(root):[^:]+:(.*)$/$1:$unx:$2/; print NEW $_; } if (!close(OLD)) { unlink("$shadow.new"); die "$0: Failed to close file handle on $shadow - $!\n"; } if (!close(NEW)) { unlink("$shadow.new"); die "$0: Failed to chown($uid,$gid,\"$shadow.new\") - $!\n"; } if (!rename("$shadow.new",$shadow)) { unlink("$shadow.new"); die "$0: Failed to rename(\"$shadow.new\",\"$shadow\") - $!\n"; } exit 0; When the above script is run as root it will change the encrypted root password in /etc/shadow to random value; the passwords so generated look similar to the following examples: dlr31!6_ D4rUI/O. v,;)|jkj ngp73xwM Simon Burr *************** Original question : ********************** Hi, We have hardened Solaris boxes where administrators do not need to know the root password (as we just do 'sudo -s'). It's the policy here that all passwords including root's must expire every 3 months but this created a problem to an application that would fail if the root password expires. I have an idea/solution that the security person is agreeable : "set up a script in crontab which runs every 90 days to change the password to a randomly generated password" I've obtained a standalone tool from a TACACS application that would generate a different hashed password each time it's run even though the same fixed string(contained in the file input.txt) is input into it : ./generate_pass < input.txt Password to be encrypted: J58rSyCjtnUhQ ./generate_pass < input.txt Password to be encrypted: 2ZwWQZxHplNA. The problem I'm facing is how to feed the encrypted password into the "passwd root" command if someone could help me with some Shell scripting here : a)"passwd root" command will prompt for password twice - so how can we feed the encrypted string into "passwd root" b)note that we should not run generate_pass twice as it will create a different password - we need to enter the same password twice (2nd time is confirmation) Thanks for any help G Sun Yahoo! Mobile - Download the latest ringtones, games, and more! _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Tue May 31 11:39:18 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:47 EST