Forum: Cfengine Help
Subject: Updating shadow encrypted fields
Author: debheller
Link to topic: https://cfengine.com/forum/read.php?3,22438,22438#msg-22438
Here's a bit of a brain-twister for y'all... Say, for example, you maintain a
very large group of Linux servers. All access by users accounts are managed
through SSH keys. But the root account, itself, is a passwd'd account.
All of these systems in this very large group need to have the root password
changed. However, while we might want to use the same passwd for the root
accounts (which can only be logged into from the console - not the network, or
accessed via rights from sudo), we do NOT want to use the same encrypted string
on every system.
This means I need to generate the string on the client. One way I can think of
is to use:
/usr/bin/openssl passwd -1 newpasswdhere
This would generate the appropriate system string like this:
$1$GVn1KByt$1KRkJsBsVXyevjyH9d/WA1
This could then be used in an edit_line (from cf3-tutorial):
"/tmp/shadow" # this will be /etc/shadow when we want to
go live
edit_line => set_user_field("root",2,"$1$PwWfN9MN$4Blm.M3vCE2bUm.H2NXop0");
Is there a better way? Has someone already done this, and if so, would you be
willing to share? I am not sure how to do this - It must be done only once,
and since the encrypted string will be different on each host, you can't check
for a static value that has been replaced on subsequent cf-agent runs. What
would be the best way to know that the change has occurred?
Thoughts?
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
