How to edit /etc/shadow on many Linux servers?

linux puppet chef cfengine

6,237

Solution 1

pssh might be what you are looking for

Solution 2

You could just run the command usermod -p '_hash_' root where hash is the hash of the password appropriate for that system. So a command like usermod -p '$1$aNwwp0wS$RzSqCt3ntYs.V2TxcXheA' root would make root have a password of password.

If you want to do this the right way you would also generat a unique salt and a unique hash for each system. If it is installed you can use mkpasswd for this purpose.

$ # create a md5 password has for 'password'
$ echo 'password' | mkpasswd -s -m md5
$1$mJrKn6xs$NTfRbrqbaVzsqcPzyXXt3/

PS Personally I prefer to set root to have a disabled password and then use ssh key-based authentication for any access to the root account. You should be able to build yourself a script pretty easily to automate the update of the root authorized_keys file. Depending on your SSH log level you will also see which key was used to access the root account, this may be helpful to track down who broke something.

Solution 3

You don't. No really, don't directly edit /etc/shadow. For 20 servers, i would probably just log in and change the root password with passwd.

what you can do if you have to do it often is use Expect and put it in a loop like:

for i in `cat <file_with_server_names>`
do 
     ssh <user>@$i
     <expect stuff here> 
done

Sorry for the flimsy psuedo code i havn't used expect in about 6 months.

root is a tricky one, personally I don't like tying it to any external services as a fall back plan in case the network / service is down. Normally i would have suggested LDAP or AD integration (if you already had an AD domain!)

Solution 4

Puppet can manage users (and a plethora of other things). I would warmly recommend any admin with more than 3 servers integrating puppet into their environment. The wiki on puppetlabs.com has many articles that will help you get up and running quickly. The advantages are definitely worth your time. Consider writing this piece of code once:

User {"sandra":
 ensure => present,
 group => ["sysadmin","dba"]
}

...and have it applied on many servers within a given timeframe.

And yeah, dont edit your shadow file by hand :)

There are also packages like cluster-ssh, but in my experience, while useful, the workflow with this type of software becomes uncomfortable with more than 3-4 servers - this is just screen real-estate wise. I am not even talking about various issues that will arise due to differences in server filesystem layouts (say bye-bye to tab completion), installed packages, etc

Solution 5

Take a look at sshpass. You can do it by looping through an associative array with key is IP address and value is the correspond password.

The password can be changed with:

passwd <<EOF
ch4ng#m3
ch4ng#m3
EOF

You should clear history after doing this.

View more solutions

6,237

Sandra

Updated on September 17, 2022

Comments

Sandra over 1 year

I would like to change the root password on about 20 Linux servers. Mostly CentOS and Ubuntu.

So I have looked at Puppet, chef, and cfengine, but I can't really tell if they can do that, or if they would be over kill for the task?

Does anyone have recommendations how to edit config files, /etc/shadow among others, on many Linux servers?
adamo over 13 years

+1 for Expect.Use "chpasswd -e" inside the loop. That way you will not type the cleartext password. Chpasswd manpage: linux.die.net/man/8/chpasswd
iSee over 13 years

You forgot the password parameter. Quoting from the documentation: The user’s password, in whatever encrypted format the local machine requires. Be sure to enclose any value that includes a dollar sign ($) in single quotes (‘). Requires features manages_passwords.
ztron over 13 years

I did not forget it. It is not required.