My suggestion would be *ansible* >From a post I sent back in April, the following has worked quite well for us:
Changing root passwords across the plant via ansible:
Create a pseudo-random salt to use for the password hashing:
[root@HOSTXYZ ~]# python
>>> import os
>>> os.urandom(32).encode('base_64')
'+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/NpLcyJDE=\n'
The output of the step above provides the INPUT for the next set of
commands (see right AFTER "$1$" below)
Create a hash of the new password using python's crypt function (see
also
http://mjanja.co.ke/2013/01/generate-salted-shadow-hashes-using-python-crypt
/ ). E.g.:
>>> import crypt
>>>
crypt.crypt("mysupertoughpassword",'$1$+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/N
pLcyJDE=\n')
'$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0'
>>> quit()
The output of the step above allows for the needed INPUT to ansible
below:
ansible HOSTS_LISTED_HERE -m user -a 'name=root
password=$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0' -K --sudo
From: <[email protected]> on behalf of J Epperson
<[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Tuesday, August 25, 2015 at 8:57 PM
To: "[email protected]" <[email protected]>
Subject: Re: [Spacewalk-list] Deploy a root password change
I've always done this with "usermod -p", using the crypted password string.
But that's probably not actually any more secure than echoing to "passwd
--stdin".
On 2015-08-25 16:50, Steve Meier wrote:
> Hello,
>
> using sed on your /etc/shadow is a very harsh way to do it. On Red Hat
> the passwd command supports the --stdin parameter which is much cleaner
>
> echo supersecret | passwd --stdin root
>
> Run this as a remote action and you are good.
>
> Alternatively, you can create a dummy RPM where this is a %post action
> and deploy this RPM. This should work as well and the version of that
> dummy RPM will actually give you a hint on which of your rotated
> passwords
> it is.
>
> Kind regards,
> Steve
>
> Am 2015-08-25 22:24, schrieb Justin Edmands:
>> You change the root pw on one machine, grab the /etc/shadow entry, and sed
>> replace the root line in the shadow file into a remote command to whatever
>> systems you need to change.
>>> On Aug 25, 2015, at 4:13 PM, Franky Van Liedekerke <[email protected]>
>>> wrote: On Tue, 25 Aug 2015 19:45:06 +0000 "Armstrong, Kenneth Lawrence
>>> (SYSADMIN)" <[email protected]> wrote:
>>>> Is there a way to deploy a root password change to a group of servers in
>>>> Satellite 5.6? I imagine something like this might be possible in Satellite
>>>> 6.x, but we don¹t have that deployed yet.
>>> Since spacewalk only has the root-pwd there for kickstart I don't think that
>>> is possible. I don't know if this helps, but: loop through your servers, do
>>> sudo and: echo "root:newpass"|chpasswd I know, it is not the config-method
>>> you're looking for (puppet, ansible), but sometimes the simplest things are
>>> sufficient too ... Franky _______________________________________________
>>> Spacewalk-list mailing list [email protected]
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> _______________________________________________ Spacewalk-list mailing list
>> [email protected]
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
> _______________________________________________
> Spacewalk-list mailing list
>
[email protected]https://www.redhat.com/mailman/listinfo/spacewalk-lis>
t
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
