How to change password on multiple hosts (can use ssh)
Tech Geek
We have about 125 Linux(RH)/Unix(Solaris) servers and to be in line with the
security policy we have to change our password every 90 days. How can I
change the password on all the server in an automated fashion....I can use
ssh. Please help me with options.
Thanks in advance.
Unruh
>Hi,
Well, that is what YPi/NIS is for-- a central repository of passwords.
Alternatively you could have a script copy the password file and shadow
files between the machines.
Scott Lurndal
Wouldn't it be easier to use NIS+, LDAP or even AD?
scott
Tech Geek
"Scott Lurndal" <sc...@slp53.sl.home> wrote in message
news:4990adc3$0$28005$6c36...@news.usenetserver.com...
Scott,
thanks for he response....we did try LDAP but couldn't be implemented
successfully because of apparent conflicts the cluster software is having
with the existence of LDAP. We had to disable LDAP to allow the cluster
software to work. We have been working with the vendors but we haven't
gotten a working resolution yet.
Thanks again.
Tech Geek
"Unruh" <unruh...@physics.ubc.ca> wrote in message
news:BJ1kl.10814$PH1.7099@edtnps82...
NIS...I will check this out. As regards copying the password file and
shadow files...doesn't it require root access. I haven't done this (I am
not a Sys Admin!).,...will this approach allow copying over the shadow file
entries only for one user? Will it be possible to help me some more
additional information on this approach. Appreciate your time and help with
this.
Keith Keller
On 2009-02-10, Tech Geek <tech...@verizon.net> wrote:
>
> thanks for he response....we did try LDAP but couldn't be implemented
> successfully because of apparent conflicts the cluster software is having
> with the existence of LDAP. We had to disable LDAP to allow the cluster
> software to work. We have been working with the vendors but we haven't
> gotten a working resolution yet.
That sounds pretty unbelievable. Software should not be interacting
with the authentication mechanisms directly, so LDAP or no LDAP should
make no difference.
One thought occurs to me: are the compute nodes on the cluster on their
own private switch? If so they likely can't get to the LDAP server.
One potential way around this would be to make the head node an LDAP
slave, and configure the compute nodes to get their LDAP information
from the head node instead of the master LDAP server.
Other folks suggested NIS. Unless your network is firewalled well, and
your internal users are trusted, NIS is a security nightmare. LDAP will
serve much better.
--keith
--
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Nico Kadel-Garcia
> "Unruh" <unruh-s...@physics.ubc.ca> wrote in message
>
> news:BJ1kl.10814$PH1.7099@edtnps82...> "Tech Geek" <tech_g...@verizon.net> writes:
>
> >>Hi,
>
> >>We have about 125 Linux(RH)/Unix(Solaris) servers and to be in line with
> >>the
> >>security policy we have to change our password every 90 days. How can I
> >>change the password on all the server in an automated fashion....I can use
> >>ssh. Please help me with options.
>
> > Well, that is what YPi/NIS is for-- a central repository of passwords.
> > Alternatively you could have a script copy the password file and shadow
> > files between the machines.
>
> Thanks for the response and information. Not sure why we didn't implement
> NIS...I will check this out. As regards copying the password file and
> shadow files...doesn't it require root access. I haven't done this (I am
> not a Sys Admin!).,...will this approach allow copying over the shadow file
> entries only for one user? Will it be possible to help me some more
> additional information on this approach. Appreciate your time and help with
> this.
Depends on your NIS master. Sun boxes, for example, have an awful
configuration of publishing *ALL* accounts from /etc/passwd and /etc/
shadow by default, and that causes fascinating conflicts with the
management of lower numbered system accounts for local services, such
as Nagios.
You might consider Kerberos authentication: it's built into servers
such as Active Directory you may already be using for your Windows
boxes, and the security models are noticeably superior to most NIS
setups.
Unruh
>On 9 Feb, 20:23, "Tech Geek" <tech_g...@verizon.net> wrote:
>> "Unruh" <unruh-s...@physics.ubc.ca> wrote in message
>>
>> news:BJ1kl.10814$PH1.7099@edtnps82...> "Tech Geek" <tech_g...@verizon.net=
>> writes:
>>
>> >>Hi,
>>
>> >>We have about 125 Linux(RH)/Unix(Solaris) servers and to be in line wit=
>h
>> >>the
>> >>security policy we have to change our password every 90 days. =A0How ca=
>n I
>> >>change the password on all the server in an automated fashion....I can =
>use
>> >>ssh. =A0Please help me with options.
>>
>> > Well, that is what YPi/NIS is for-- a central repository of passwords.
>> > Alternatively you could have a script copy the password file and shadow
>> > files between the machines.
>>
>> Thanks for the response and information. Not sure why we didn't implement
>> NIS...I will check this out. =A0As regards copying the password file and
>> shadow files...doesn't it require root access. =A0I haven't done this (I =
>am
>> not a Sys Admin!).,...will this approach allow copying over the shadow fi=
>le
>> entries only for one user? =A0Will it be possible to help me some more
>> additional information on this approach. =A0Appreciate your time and help=
> with
>> this.
Yes, to change the password of users you MUST be root. (You could use sudo,
but the sysadmins must allow you to do that.)
If you are not sysadmin, you cannot change passwords except your own.
Now if it is your own password you want to change, then you could write a
script to use ssh to change your password on all the machines.
for i in `cat machines`
do
ssh $i passwd <<EOF
newpassword
newpassword
EOF
done
where machines contains the list of all the machine names and where
newpassword is your own new password.
hould do it.
Vilmos Soti
> Yes, to change the password of users you MUST be root. (You could use sudo,
> but the sysadmins must allow you to do that.)
> If you are not sysadmin, you cannot change passwords except your own.
> Now if it is your own password you want to change, then you could write a
> script to use ssh to change your password on all the machines.
>
> for i in `cat machines`
> do
> ssh $i passwd <<EOF
> newpassword
> newpassword
> EOF
> done
>
> where machines contains the list of all the machine names and where
> newpassword is your own new password.
> hould do it.
Yeah, this is what I did. Until I found cssh. Then do "cssh `cat machines`"
Vilmos
Tech Geek
Hi Unruh,
Thanks for the script....this is what I was looking for and works fine.
Need a little help in getting the script to work.
when the ssh <hostname> is executed, it prompts for the current password.
How can I feed in the current password. BTW, I am trying to change only my
own password and probably, if it works I will share the final version of the
script with my other colleagues to make their life easy!
Once again, thanks for all your help and time.
Doug Freyburger
>
> when the ssh <hostname> is executed, it prompts for the current password.
> How can I feed in the current password. BTW, I am trying to change only my
> own password and probably, if it works I will share the final version of the
> script with my other colleagues to make their life easy!
"passwd" goes out of its way to forbid IO redirection for
automation of this type. If you can't go with NIS I'll offer
two different suggestions:
1) Install "expect" everywhere and write the password
update process as an "expect" script that loops using
the same password everywhere.
2) Switch "passwd" on all hosts but one to do an
"ssh that_one_host passwd" so all users set their
password on the same host. Then use ssync, rsync,
rdist or similar to copy /etc/passwd and /etc/shadow
everywhere.
On a multi-vendor network I once took option 2 and
had rdist launch a Makefile tuned to each vendor.
Depending on how many versions there are this may
take entering the password more than once - Several
vendors use the same encryption system so copying
/etc/shadow to them works while systems that use
differnet encryption will require entering the new
password on each type. If all you've got is Linux
copying the two files works.
Nico Kadel-Garcia
Randomly copying /etc/shadow around, without synchronizing it with /
etc/passwd or with existing system accounts created via software
package installers such as Apache or Nagios, is like changing one tire
on a car. You may wind up with a new tire, but if it doesn't match the
size of the others it's going to steer funny, muck with your file
ownership settings, and may help you drive headlong into a tree.
Doug Freyburger
> Doug Freyburger <dfrey...@yahoo.com> wrote:
>
> > 2) Switch "passwd" on all hosts but one to do an
> > "ssh that_one_host passwd" so all users set their
> > password on the same host. Then use ssync, rsync,
> > rdist or similar to copy /etc/passwd and /etc/shadow
> > everywhere.
>
> > On a multi-vendor network I once took option 2 and
> > had rdist launch a Makefile tuned to each vendor.
>
> etc/passwd
Which is why I recommended both.
> or with existing system accounts created via software
> package installers such as Apache or Nagios, is like changing one tire
> on a car.
Which is why I mentioned a method that uses Makefiles.
If the accounts in question are human users, NIS continues
to be the better choice by far.
anonymous
i heard about them through a tech convention and realized this could be
an amazing administrative tool. it is designed for an AD domain system
so if you are running your domain with linux/unix only this will
probably not solve the problem.
Jim Haynes
> Hi,
>
> We have about 125 Linux(RH)/Unix(Solaris) servers and to be in line with
> the security policy we have to change our password every 90 days. How
> can I change the password on all the server in an automated fashion....I
> can use ssh. Please help me with options.
>
> Thanks in advance.
unruh
If a user:
1) persuade the sysadmins to institute NIS.
2) write a script
#!/bin/bash
OLDPASS=$1
NEWPASS=$2
for i in `cat ~\hostnames`
ssh $i passwd <<EOF
$NEWPASS
$NEWPASS
EOF
done
where ~/hostnames contains the hostnames of all the computers you want
tochange the password on.
Note this is somewhat dangerous as the old and new passwords will be
visible to someone doing a ps -auxww
You could have the script ask for the old and new passwords at the
beginning instead etc, but you get the idea
Also I have not tested this so am not sure about the input feeding to
passwd with te <<EOF on the remote machine
You had better make sure that the passwd does not reject the password or
you could be stuck in an awkward situtation.