I have a script that adds users to a linux system. I was intending to have a step that sets the root pw to a default but how can I do this without having that pw in cleartext in the script?
Take a look at usermod's option "-p" in the manpage:
-p, --password PASSWORD
The encrypted password, as returned by crypt(3).
Note: This option is not recommended because the password (or encrypted
password) will be visible by users listing the processes.
The password will be written in the local /etc/passwd or /etc/shadow file.
This might differ from the password database configured in your PAM
configuration. You should make sure the password respects the system's
password policy.
One way might be to have your script write the new user info to a file. Then, have another script (executed by root) which actually adds the new users using the useradd command. Perhaps the second script can be a cron job that runs every couple of minutes. It wouldn't be in real time, but I would feel better about the security of doing it this way, rather than having a root password in a public-facing script.
Related
I got an idea to use users password and a local key to decrypt a dm-crypt partition with user home directory (and to mount it as a home).
But here is a problem: how can I get such script to be executed? It should be executed after successful authorization but before actual login, and it should have access to freshly inputted password.
Does someone know where to put such script?
This is a pretty common problem with a simple solution -- you use pam module.
Here is one example:
https://wiki.archlinux.org/index.php/Dm-crypt/Mounting_at_login
My .passwd file contains 2 usernames and 2 passwords.
userNameX:$apr1$F3EFwwfP$W4gD4e/W98FerHQWDErfX0
userNameY:$apr1$Nq21ft8f$CRW4OdeRDVLsLnFwFaXyE0
They have been automatically generated by the old server just providing username and clear password.
Now I have just moved to the AWS Elastic Beanstalk, these two usernames/passwords work very well, but I would like to create more users and passwords. How should I do?
If you want to use htpasswd, look at htpasswd - Options.
There, you have the warning about password on the command line
-b
Use batch mode; i.e., get the password from the command line rather than prompting for it. This option should be used with extreme care, since the password is clearly visible on the command line. For script use see the -i option. Available in 2.4.4 and later.
And the recommended option -i:
-i
Read the password from stdin without verification (for script usage).
This way, you can pass the password through standard input through a pipe (e.g. popen).
You can also look at some authentication module, depending on the language and web framework you use.
Here are some details about my setup...
Current environment:
40+ *nix systems managed by 6 admins
Highly secure, closed network (no internet access)
Regularly audited (all account passwords must be changed every 90 days)
Current procedures:
Each administrator has a personal account with sudo access. These admin accounts are managed via Active Directory so password changes are not an issue
Root account is also active for specific circumstances (i.e. admin account is locked out)
When it comes time to change the root passwords, an admin will do so by SSHing into each system (40+)
I want to write a script to make the root password changing process more efficient and everything I've read indicates that the most secure way to go about it is by using public key authentication. So my question is: If I log in as root to SYSTEM_1 and set up the public/private key pairs between that system and SYSTEM_2, SYSTEM_3, etc, does that mean I will only be able to run the script from SYSTEM_1? Is this even a good idea security wise? Are there any other ways to script this that I am missing?
You can use RSA Authentication and expect script
Let's say you are executing expect script on system 1, create public-private key pair and store public key on all the other systems you have to login (system 2.....n)
Now you wont need a password when you ssh into those system.
Now you can use expect script to change password for either root or any other user.
NOTE : usually expect interpreter is at /usr/bin/expect
you can find this my doing "whereis expect"
I hope it helps.
Try to use this algorithm and post your results.
In a shell script file I am using some commands like scp and make install which ask for my password.
I run a shell script to compile a big project, and after some time it asks for my password for using scp. I need to wait for that process and give the password after that.
I just want to do it all by shell script without interaction, so how can I avoid being prompted for the password here?
Short answer: DON'T
Use public key authentication for SCP and sudo with NOPASSWD directive for make install
If you can't use ssh trust and must enter the password later on in your script, use read -s -p "Password:" USER_PASSWORD to silently read in the password. You can then export USER_PASSWORD to an expect script, avoiding it being displayed in ps:
#!/usr/bin/expect -f
spawn scp some.file USER#otherhost:~
expect "assword:"
send -- "$env(USER_PASSWORD)\r"
expect eof
I think it's a better idea to generate an authentication key, and use this key based authentication instead of writing plain text passwords into your scripts.
No, you won't find any method to use SSH config files or a command line option to have a password hard coded and I'm sure this is by design.
If you environment makes this difficult, perhaps it would be helpful to know that the script can specify an identity file using the -i argument so you don't have to have a whole home directory setup or anything like that. There are other options that help use the key authentication that ssh really encourages over password authentication.
If you are using this across several users who you don't want to be bothered to create keys and copy them to the server, you could script that also. It wouldn't be hard to check for an existing key and do a quick test to see if you can make a connection with it. If you can't without a password, then you'd ssh-copy-id to the server asking for the ssh password that one time and at the beginning of the script so very little lag would occur between starting and running the script and it would be only once. You could even setup a separate key for each user for just the script in their own ~/.script/key/ directory so that you would discourage users access to the SSH server.
If you want to really restrict what can be done on the remote server by that user, you could use rssh as the shell on the remote account which will limit the user access to transferring files.
A good way we did this in the past to provide passwords to needed scripts when using key based authentication was impossible or needed to use passwords for apps, services, mysql, whatever...we stored passwords in an encrypted file and then decrypted this file at runtime to provide the password to the scripts.
The password decryption script, let's call it, yourcreds.rb, was restricted to root use only of course and the unencrypted passwords wern't stored anywhere. So for example you could run:
root#host:~# yourcreds.rb | grep mysql | awk {'print $3'}
Which without awk would for example output the stored line:
service | user | password | description | etc...
mysql mysqluser password ....
With yourcreds.rb (or whatever) you can output just the password and easily incorporate this method into scripts / cron jobs in larger or more complex environments.
Also if I remember correctly we didn't have to use grep / awk or anything. We just programmed in opts parse stuff like: yourcreds.rb list mysql or yourcreds.rb -l, etc.
We used blowfish and yamls to store the encrypted passwords. I'm sure you can be creative. Just make sure it's bullet proof to anyone but root.
I have written a simple application to authenticate user using PAM the common way: pam_start(), pam_authenticate() + my own conversation function + pam_end().
If application is run under the user who's credentials are being checked, authentication is succeeded. Otherwise, if application is run from user A to check credentials of user B, the authentication is failed. (
My question: why? As a service name passed to pam_start() I have tried also login as well as passwd. Nothing has changed. Which direction to go to debug the problem? Or possibly I should use another pam service to perform the task?
p.s. user 'A' in the second case is a user with no password and /bin/false shell.
How are you checking the "credentials"? Is it some file being read? Can user A read that file?
Service name passed to pam_start does not affect what the process can do. Note that programs that need to do similar things, like su or passwd are actually setuid programs.
Also, watch out not to create security holes in your application/module by allowing user A to impersonate user B.
User A might not have the permission to read the password file /etc/shadow. This is one reason why credential checking programs usually require root privileges.
So: Does it work for user A and user B if you execute the program with root privileges / as the root user?