Remotely change Root password across multiple machines at once

Latest response

I am the administrator for a large environment of redhat servers as part of my job. The client wants the root password changed every 30 days. there are over 80 systems some running redhat 6.x some running 7.x.

Is there a way i can change the password across all the systems at once from a single point?

Responses

Hello Barry,

you can do this easily with ansible. i`ve written an ansible-playbook for this task last year. It will generate new random passwords, safe them to a local file and set them on the remote machine. The package python-passlib has to be installed, i am not sure if it is by default.

#Author: Sascha Gruen - 2020-05-11
#This playbook will set a randomly generated password for a given user. 
#ATTENTION: Please check all variables before running this playbook.
#All passwords will be written to a textfile (VAR: local_pw). 
#The file will be deleted after 10 Minutes, so hurry up :-)
---


#Requirements: pexpect-Package has to be installed on local server

- name: "Reset pw of a given user"
  connection: ssh
  become: yes
  hosts: '{{ host }}'
  vars:
    username: root
    #Local file were pws safed in cleartext. This file will be deleted automatically after 10 minutes
    local_pw: /tmp/tmppw
  tasks:
  - name: Create a random password
    shell: echo $(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-14})
    register: pw
    delegate_to: localhost
  - name: hash password
    shell: python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt('{{ pw.stdout }}')"
    register: pw_hash
    delegate_to: localhost
  - name: Change {{ username }} password
    user:
      name: "{{ username }}"
      update_password: always
      password: "{{ pw_hash.stdout }}"
  - name: Save password
    shell: "echo {{ ansible_hostname }} {{ pw.stdout }} >> {{ local_pw }}"
    delegate_to: localhost
  - name: "Activate Auto-Deleter: {{ local_pw }} will be gone after 10 minutes"
    shell: bash -c "sleep 600; rm -f {{ local_pw }}" &
    delegate_to: localhost
#    shell: "echo {{ ansible_hostname }} {{ pw.stdout }} >> {{ local_pw }}"
#    delegate_to: localhost

Barry,

The ansible solution provided by Sascha Gruen seems pretty nice

Here's an alternative

#!/bin/bash
#
# this script is something created from Red Hat Solution https://access.redhat.com/solutions/221403
#
doit() {
echo -e "\nThis script will make a SHA-512 shadow-compatible password with random salt\n\nType your password successfully ONCE\n"
# this will make a variable named "$myvar" with the hashed password
myvar=$(python -c 'import crypt,getpass; print crypt.crypt(getpass.getpass())')
echo -e "\n\tYour password hash is \n\t$myvar\n\t and could be used to change a password in this method:"
echo -e "THIS IS AN EXAMPLE, ONLY RUN IT IF APPROPRIATE:"
# there are two quotes below that are escaped with a backslash for the echo command to work properly.
# Remove those backslashes and additional quotes if you run  that as a command outside this script.
# The syntax is on the next line:
## echo 'root:YOUR_HASH_GOES_HERE' |  /usr/sbin/chpasswd -e && logger "Successfully changed root password"
# This will display an example when the script is ran.  The resulting example command would need to be ran as root, or at minimum have sudo rights
echo -e "echo 'root:$myvar' |  /usr/sbin/chpasswd -e && logger \"Successfully changed root password\" > /dev/null"
echo -e "###############################################"

} # end function "doit"

myuname=$(uname)
if [ "$myuname" == "Linux" ] ; then
        echo -e "Linux detected, proceeding"
        doit
    else
        echo -e "This is not a Linux system, and the python command may fail"
fi

You could then take this and run it as a script (even in Ansible) such as:

#!/bin/bash
# this is an example, do not run this on your system without creating your own password from the example above.  Please change the hash below with your own.  The hash below was created from inputting something like "don'tusethis" when executing the script above.
echo 'root:$6$cCSm79EDoFr.lJHR$qHFBfm.nk9X5KLeRtUnySHaJXGtDEJ/3Z4Q7se5n7fpUa8IhFUpuxGXVqF90ZuZ1YA5CQvaoR8dnNfSmdfABz0' |  /usr/sbin/chpasswd -e && logger "Successfully changed root password" > /dev/null

I'd recommend using Ansible, even the non-paid edition. Yet Ansible Tower has quite a lot of great features.

Regards,
RJ

thanks i will give these a try.

"sleep 10" is 10 seconds not 10 minutes; isnt't it? :)

Right, thank you. I fixed the line and increased sleep from 10 to 600.