如何编写自动更改根密码的脚本?
目前,我们的流程包括登录每个 *nix 服务器并手动更改每个服务器的密码。我的问题是,自动化此操作的好方法是什么?我正在考虑可能有几种不同的方法来做到这一点,并希望其他人提供他们推荐、使用的内容等的输入。
我想到的一种方法是一个文本文件,其中包含需要更改密码的服务器列表和脚本提示用户输入新密码,将其临时存储在脚本中,然后远程连接到每个服务器并运行命令。检查以确保服务器可访问或远程连接超时将是一个好主意。然后将输出输出到控制台,以便运行脚本的人可以看到哪些服务器成功,哪些服务器失败。
我试图考虑另一种完全自动化的解决方案,但想不出安全存储新密码的好方法。另外,进行一些用户交互并手动启动脚本对我来说并不是什么大问题,因为我们每年只需要执行 6 次。
任何想法、帮助、想法将不胜感激。
Currently our process consists of logging into each *nix server and manually changing the password for each. My question is, what is a good way to automate this? I'm thinking of possibly a couple different ways to do this and would like input from others on what they recommend, use, etc.
One way I was thinking is a text file with a list of servers that need the password change and a script that prompts the user for the new password, stores it temporarily in the script and then remote connects into each server and runs the commands. Having a check to make sure the server is reachable or a timeout on the remote connection would be a good idea. Then have output to the console so the person running the script can see what servers were successful and which ones were not.
I was trying to think of another fully automated solution, but couldn't think of a good way to securely store the new password. Plus it is not a huge deal to me to have some user interaction and have to manually start the script as we only would need to do this 6 times a year.
Any thoughts, help, ideas would be greatly appeciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
其中 $rootpw 包含将成为您的 root 密码的字符串。
这将输出一个加密字符串,您可以将其放入文件或其他内容中。我在一个脚本上使用它来设置从数据库配置的虚拟服务器实例。我在通过网络发送该哈希值之前计算该哈希值,以便设置服务器的脚本可以仅使用该哈希值,而不必发送纯文本。
为了回答您的问题,每个服务器计算哈希值的方式略有不同,并产生不同的哈希值,但所有这些哈希值都等同于相同的密码。您可以使用这些哈希值中的任何一种,并且在任何服务器上使用时它们在功能上都是等效的,即使哈希值的实际内容不同。
例如,我对 foobar 进行了哈希处理,结果如下:
即使在同一台机器上计算,这些哈希值中的每一个都是不同的,但它们中的任何一个都可以用来等同于任何机器上的密码“foobar”。
因此,只需打开 /etc/shadow 并将其粘贴到您找到以下行的位置:
在我的脚本中,我将其分解为 : 并更新元素 [1],然后将数组连接回字符串并替换文件中的字符串。如果您愿意,您可以采取不同的方式,特别是如果您知道旧值(可以通过将其分解为数组来获得)。
我知道这个问题已经有几个月了,所以你可能已经弄清楚了,但我把这个问题放在那里,供任何未来的谷歌用户来发现这个问题。
Where $rootpw holds the string that will be your root password.
This will output a crypted string that you can just put in the file or whatever. I use this on a script that sets up virtual server instances that are provisioned from a database. I compute this hash before sending it over the network so the script that sets up the server can just use this hash instead of having to send it plain text.
To answer your question, each server would compute the hash slightly differently and result in a different hash, but all of those hashes would equate to the same password. You could use any one of these hashes and they would be functionally equivalent when used on any server, even though the actual content of the hash is different.
For example, I hashed foobar and these are the results:
Each of those hashes are different even when computed on the same machine but any of them can be used to equate to the password 'foobar' on any machine.
So just open /etc/shadow and paste that in there where you find the line:
In my script I explode it at the :'s and update element [1] then concatenate the array back to a string and replace the string in the file. You can do it differently if you want, especially if you know the old value (which you can get by exploding it into an array).
I know this question is a few months old so you probably figured it out, but I'm putting this out there for any future googler's coming along and finding this.
您应该计算服务器在密码上计算的任何哈希值,并以这种安全的哈希形式发送密码,准备好放入
/etc/shadow中。但我不知道在实践中如何做到这一点。
You should compute whatever hash are your servers computing on a password and send passwords in this secured, hashed form, ready to put into
/etc/shadow.I do not know however how to do that in practice.