2010-01-10 20:49:00
This script can be used to generate, set and verify a new password for any root account within your BoKS domain. It could be used as part of your monthly root password reset cycle, or for daily maintenance purposes. Functionality of the script includes:
./boks_new_rootpw [[-h HOST] [-H HG] [-i FILE] | -A] [-x HOST] [-X HG] [-f FILE] [-d -o FILE] -h HOST Change the root password for HOST. Multiple -h entries allowed. -H HGROUP Change the root passwords for HOSTGROUP. Multiple -H entries allowed. -i FILE Change the root passwords for all hosts in FILE. -A Change the root passwords for ALL hosts. -x EXCLUDE Hosts to exclude (when using -H or -A). Multiple -x entries allowed. -X EXCLUDEHG Hostgroups to exclude (when using -A). Multiple -X entries allowed. -f FILE Output file to store the new root passwords in. Default is stdout. -d Debug mode. Provides error logging. Does a dry-run, not doing any updates. -o FILE Output file for debugging logs. Required when -d is passed. Example: ./boks_new_rootpw -h HOST1 -h HOST2 -f $BOKS_var/root.txt ./boks_new_rootpw -A -d -o /tmp/foobar Multiple -h, -H, -i, -x, and -X entries are allowed.
If you do not use the -f flag to indicate an output file, the script will output everything to stdout. The output consists of a listing of hostname, plus root password, plus encrypted password string. Either way you may want to keep this output somewhere safe, for reference.
When running in debug/dry-run mode, the script outputs log messages to the output file specified with the -o flag. This file will show detailed error reports for failing root updates. BEWARE: THE DEBUG LOG WILL CONTAIN (UNUSED) ROOT PASSWORDS.
All (temporary) files created by this script are 0600, root:root. Duh! ^_^
$ wc boks_new_rootpw.ksh 525 2549 16959 boks_new_rootpw.ksh $ cksum boks_new_rootpw.ksh 4078240301 16959 boks_new_rootpw.ksh
kilala.nl tags: boks, sysadmin,
View or add comments (curr. 3)
Posted by Thomas
Here's another change I'm going to make to the script. You see, up until now I've been changing root passwords using the following command:
modbks -l $HOST:root -p "$ENCPASSWD"
This works perfectly, with one exception: the value for the field that contains the date of your last password change does not get updated. This in turn may throw off auditors who expect to see a monthly root password change. Luckily, thanks to one of our friends at FoxT, I was introduced to the "boksauth" command which can be used to insert SERVC requests from the master server.
For example:
BoKS > lsbks -al SUN:thomas
...
Password last changed: 08/31/09
...
BoKS > boksauth -Oresults -c FUNC=change-psw USER=TRUSTED:ru13rs
OLDPSW= NEWPSW="SECRET12" UID=0 ERRMSG=
FUNC=change-psw
USER=SUN:thomas
OLDPSW=
NEWPSW=SECRET12
UID=0
ERRMSG=
$HOSTSYM=serverA
$ADDR=192.168.0.10
$SERVCADDR=192.168.0.10
SALT=6x
$SERVCVER=6.0.3
BoKS > lsbks -al SUN:thomas
...
Password last changed: 09/15/09
...
Unfortunately this does seem to use the unencrypted password string, while modbks uses the encrypted one. This means I'll need to modify my script a little bit further.
Posted by Thomas
I've made some more bug fixes to the script.
1. Removed "boksdiag updpsw" because it led to overloading on the master with hanging client queues as a result.
2. Fixed the cleanup of the tempdir.
3. Improved error output insofar that it will still include the new root password.
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.
2009-09-15 10:57:00
Posted by Thomas
Whoops, had a small bug in there. Apparently the following doesn't work on Solaris 8, but it does on Solaris 10 and Linux. Possibly on Darwin as well.
cat $FILE | sort -u > $FILE
On Solaris 8 this results in a completely empty $FILE, while on Solaris 10 et al it does what you expect. Unfortunately this messed up the functions that build the lists of host names and excluded hosts. Hence why I included a fix.