Change multiple password on multiple servers

[mrn]

Hello,

Before I ask my question, I know about NIS but don't what to use it.

I look after loads of different Unix servers, and was looking for a way to change the root passwords on each server, each month without having to log onto each one individualy issue the passwd command and change the password. Has anyone written/come across a script of any kind that would help me in this task? I can think of a couple of ways to approach this, but would be interested in any ideas or solutions anyone else has on this subject

Regards
--
| Mike Nixon
| Unix Admin
|

http://www.instantflashshop.com

----------------------------

 

[jamisar]

the root passwd has not to be in NIS
you could create (a crontab-entry calling) a ssh-cmd on the different server starting by a master-server

set a new-pwd for root on master server
cut it from /etc/passwd
assune passwd=1234567890123
create on all client-server a script 'runme' like this:
-----------------------begin
#!/bin/sh
[ x$1 = x ] && exit 0
FILE=/shadow
sed -e "s/^\(root\):\([^:]\)\(.*\)/\1:$1:\3/" /etc/$FILE >/etc/n$FILE
[ -s /etc/n$FILE ] && mv /etc/n$FILE /etc/$FILE && chmod 600 /etc/$FILE || rm -f /etc/n$FILE
exit 0
------------------------end
master:
for serv in aa bb cc dd ee ff
do ssh root@$serv runme '$passwd'
done

check the sed-syntax and ssh-docs for executin ssh whitout passwd on remote sys.
at this time, i have no access on unix-system.

 

[mrn]

Thanks for the reply, but it's not the answer I'm looking for, we're not using SSH and I can't install it anyway. Policy and all..... --
| Mike Nixon
| Unix Admin
|

http://www.instantflashshop.com

----------------------------

 

[ProbablyDown]

I wouldn't reccomend mass updating of root passwords. I am in a similar situation as yourself, but think of the consequences if the script failed!!

I like to maintain intimate knowledge of when, and how any root settings change. I can't afford to lose the access to the servers for the sake of a couple of hours of password rotation.


Not to knock your idea, by any means (I know how tight timelines get)... and policy is definately priority, but not when it comes to possible downtime...

I maintain that I would do it the old fashioned way...

...just my view (..and it may be wrong ;-) ).

-pd

 

[d3vNull]

Have you looked into using an LDAP Directory for user authentication? If you go this route, you could have all your servers point to a user directory and change a password in one place for all servers

Ahh.... nirvana...

--d3vNull

 

[mrn]

ProbablyDown,

Thanks for the reply, I also like the security of the hands on approach, but I'm talking 150 servers and growing rapidly.

I didn't mean for this script to run unattended, but just to do the telnet/passwd type thing for me.

Regards Mike --
| Mike Nixon
| Unix Admin
|

http://www.instantflashshop.com

----------------------------

 

[jad]

for 150 machines you probably should set up nis or ldap to handle standard users ...

if you like to live dangerously you could add a .rhosts or /etc/hosts.equiv on each machine pointing to one machine stored in a locked room with no telnet access, ftp access, or generally any way into it. you could then go to this machine and rsh to each machine in turn in order to run the above script.

if i were you though, i'd make sure that you were nis+'d and that the ethers in nis+ for the machine would be set correctly so that noone can spoof it.

still dangerous.

Jon