2010-01-10 20:49:00

This script can be used to generate, set and verify a new password for any root account within your BoKS domain. It could be used as part of your monthly root password reset cycle, or for daily maintenance purposes. Functionality of the script includes:

Generates a string of eight random alphanumeric characters.
Creates a CRYPT encrypted password string.
Sets the root password through the modbks command. *
Verifies the encrypted string in three locations: BoKS database, /etc/shadow and $BOKS_etc/brpf.

Usage of check_boks_replication

./boks_new_rootpw [[-h HOST] [-H HG] [-i FILE] | -A] [-x HOST] [-X HG] [-f FILE] [-d -o FILE]

-h HOST		Change the root password for HOST. Multiple -h entries allowed.
-H HGROUP	Change the root passwords for HOSTGROUP. Multiple -H entries allowed.
-i FILE		Change the root passwords for all hosts in FILE.
-A 		Change the root passwords for ALL hosts.
-x EXCLUDE	Hosts to exclude (when using -H or -A). Multiple -x entries allowed.
-X EXCLUDEHG	Hostgroups to exclude (when using -A). Multiple -X entries allowed.
-f FILE		Output file to store the new root passwords in. Default is stdout.
-d 		Debug mode. Provides error logging. Does a dry-run, not doing any updates.
-o FILE	Output file for debugging logs. Required when -d is passed.

Example: 
./boks_new_rootpw -h HOST1 -h HOST2 -f $BOKS_var/root.txt
./boks_new_rootpw -A -d -o /tmp/foobar

Multiple -h, -H, -i, -x, and -X entries are allowed.

Output

If you do not use the -f flag to indicate an output file, the script will output everything to stdout. The output consists of a listing of hostname, plus root password, plus encrypted password string. Either way you may want to keep this output somewhere safe, for reference.

When running in debug/dry-run mode, the script outputs log messages to the output file specified with the -o flag. This file will show detailed error reports for failing root updates. BEWARE: THE DEBUG LOG WILL CONTAIN (UNUSED) ROOT PASSWORDS.

All (temporary) files created by this script are 0600, root:root. Duh! ^_^

Limitations

This script must be run as root, from the BoKS shell.
This script was tested with BoKS 6.0 and 6.5
Please make sure that the platform specific settings are correct.

Download

Download boks_new_rootpw.ksh

$ wc boks_new_rootpw.ksh
     525    2549   16959 boks_new_rootpw.ksh

$ cksum boks_new_rootpw.ksh
4078240301 16959 boks_new_rootpw.ksh

kilala.nl tags: boks, sysadmin,

View or add comments (curr. 3)

You are free to use this specific work, to share and distribute it and to adapt it for your own purposes. However, you must attribute this work as mine and you must share all of your alterations. Click on the logo, or follow this link for full details.

2009-09-15 10:57:00

Posted by Thomas

Whoops, had a small bug in there. Apparently the following doesn't work on Solaris 8, but it does on Solaris 10 and Linux. Possibly on Darwin as well.

cat $FILE | sort -u > $FILE

On Solaris 8 this results in a completely empty $FILE, while on Solaris 10 et al it does what you expect. Unfortunately this messed up the functions that build the lists of host names and excluded hosts. Hence why I included a fix.

2009-09-15 10:59:00

Posted by Thomas

Here's another change I'm going to make to the script. You see, up until now I've been changing root passwords using the following command:

modbks -l $HOST:root -p "$ENCPASSWD"

This works perfectly, with one exception: the value for the field that contains the date of your last password change does not get updated. This in turn may throw off auditors who expect to see a monthly root password change. Luckily, thanks to one of our friends at FoxT, I was introduced to the "boksauth" command which can be used to insert SERVC requests from the master server.

For example:

BoKS > lsbks -al SUN:thomas
...
Password last changed: 08/31/09
...

BoKS > boksauth -Oresults -c FUNC=change-psw USER=TRUSTED:ru13rs
OLDPSW= NEWPSW="SECRET12" UID=0 ERRMSG=

FUNC=change-psw
USER=SUN:thomas
OLDPSW=
NEWPSW=SECRET12
UID=0
ERRMSG=
$HOSTSYM=serverA
$ADDR=192.168.0.10
$SERVCADDR=192.168.0.10
SALT=6x
$SERVCVER=6.0.3

BoKS > lsbks -al SUN:thomas
...
Password last changed: 09/15/09
...

Unfortunately this does seem to use the unencrypted password string, while modbks uses the encrypted one. This means I'll need to modify my script a little bit further.

2009-10-26 20:09:00

Posted by Thomas

I've made some more bug fixes to the script.

1. Removed "boksdiag updpsw" because it led to overloading on the master with hanging client queues as a result.

2. Fixed the cleanup of the tempdir.

3. Improved error output insofar that it will still include the new root password.

All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.

Kilala.nl - Personal website of Tess Sluijter

Consulting

Tutorials

Certification

BoKS / Unix Control

BoKS admin scripts

Nagios

Nagios plugins

SNMP on Solaris

SNMP on Linux

Tivoli plugins

Miscellaneous

> Weblog

> Sysadmin articles

> Maths teaching

Boks_new_rootpw.ksh - Script for automatic changing of root passwords

Usage of check_boks_replication

Output

Limitations

Download