A couple of people have requested some of the information that I received
regarding the methods to update the root password on a large number of
workstations. Following are some of the more detailed responses. My
apologies for not including this information in my first summary.
*************************************************************************
>From Michael Sullivan:
Use the passmass script that comes with expect.
For information about expect see: http://expect.nist.gov/
*************************************************************************
>From Karl Vogel:
Your best bet is to get the "expect" package. You can automate any
interactive process with it.
ftp://ftp.cme.nist.gov/pub/subject/expect/expect.tar.gz
ftp://ftp.cme.nist.gov/pub/subject/expect/tcl.tar.gz
*************************************************************************
>From David Thorburn-Gundlach:
I'd probably cheat and paste (with sed) a pre-encrypted passwd into
the pass field in root's entry in the shadow file, but I'm lazy. If I
really wanted to do it write, I'd get expect (if I didn't have it
already) and write a script to do it, thereby generating a fresh
encryption for each machine as an added bonus.
Note that the latter method is required in an instance where you have
more than just the pass filed in /etc/shadow, as in a secure NIS+
environment...
*************************************************************************
>From Ozgur Erk:
First I will put a .rhosts in root's home directory in all clients (by
hand unfortunately). That file would certainly contain my computer's name.
Than I would be able to do anything I like with scripts like this:
#!/usr/bin/sh
#TIMESET of mycompany
Erlog=/tmp/log1
cp /dev/null $Erlog
exec >>$Erlog 2>&1
for host in `/timehosts` #Sorry you need to write names of all hosts in
#this file
do
if ping $host 1 >/dev/null
then
TIME=`date '+%m%d%H%M'`
echo $host
rsh -n $host "date $TIME"
#This is the point. Write anything between"" and
#see them executed in all other computers.
fi
done
mailx -s "TIME" sysadm < $Erlog
*************************************************************************
>From Nicky Ayoub:
If you know perl, rsh is enabled for root on the 80+, and a shared mount
point ( like your home ) exists on the 80+, then you could write a script
that searches for ^root: and replaces the second ":" delimited field with a
password already generated.
#!/bin/perl -pi.orig
$newpass = "sdfvs23.242" # this value is generated by using passwd on one
system
while (<>) {
if (/^root:/) {
@root = split(':');
$root[1] = $newpass;
print join(':', @root);
} else {
print $_;
}
}
NOTE: This was all typed by memory without testing!!!! Please use this as a
template to begin creating the script you need. You could actually have it
open /etc/passwd rather than using stdin like I have. I just wanted to give
you the idea. I remember having a shorter one about 3 years back to do the
same thing but my perl is rusty now... I'll look around for it.
*************************************************************************
>From Kurt Werth:
Assuming that you're going to make the password the same on
all of the machines, and that they are all standalones, you
could do this: Make 1 machine trusted to all the rest and rsh
a command out to each machine to replace the old encrypted string
with the new using vi, ie:
rsh sun1 "vipw /etc/passwd </home/user/vi.script"
where vi.script looks something like this:
:g/root/s//root:new_encrypted_string/g
/:
/:
14x
:wq!
Of course you'll need to replace "passwd" with "shadow" above
if you're doing this on a solaris machine. You may also want to
make a copy the old passwd/shadow file just in case.
*************************************************************************
Finally, from Rich Pieri - some sound advice:
I would do it manually, because a bug that created the wrong password data,
or corrupted the password file, on 80+ machines would be catastrophic. I
would not want to risk that.
****************************************************************
Leo Crombach System / Network Administrator
Tropel Corporation Phone: (716) 388-3566
60 O'Connor Road Email: lcrombach@tropel.com
Fairport, New York 14450 URL: http://www.tropel.com
****************************************************************
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:33 CDT