Setting root password from script

B

balanga

Is there a recommended way to set the root password from a shell script?

Having looked for an answer, it seems that I may need to use 'expect', although I suspect pw() may have the required options to set a password for a particular user, but looking at this gives me a headache...

Code: 
SYNOPSIS
     pw    [-R rootdir] [-V etcdir] useradd [-n] name [-u uid] [-C    config]    [-q]
    [-c comment] [-d dir] [-e date]    [-p date] [-g group] [-G grouplist]
    [-m] [-M mode] [-k dir]    [-w method] [-s    shell] [-o] [-L    class]
    [-h fd | -H fd]    [-N] [-P] [-Y]
     pw    [-R rootdir] [-V etcdir] useradd -D [-C    config]    [-q] [-b dir]
    [-e days] [-p days] [-g    group] [-G grouplist] [-k dir] [-M mode]
    [-u min,max] [-i min,max] [-w method] [-s shell] [-y path]
     pw    [-R rootdir] [-V etcdir] userdel [-n] name|uid | -u uid    [-r] [-Y]
     pw    [-R rootdir] [-V etcdir] usermod [-n] name|uid [-u newuid] | -u    uid
    [-C config] [-q] [-c comment] [-d dir] [-e date] [-p date] [-g group]
    [-G grouplist] [-l newname] [-m] [-M mode] [-k dir] [-w    method]
    [-s shell] [-L class] [-h fd | -H fd] [-N] [-P]    [-Y]
     pw    [-R rootdir] [-V etcdir] usershow [-n] name|uid    | -u uid [-F] [-P]
    [-7] [-a]
     pw    [-R rootdir] [-V etcdir] usernext [-C config] [-q]
     pw    [-R rootdir] [-V etcdir] groupadd [-n] name [-g    gid] [-C config] [-q]
    [-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
     pw    [-R rootdir] [-V etcdir] groupdel [-n] name|gid    | -g gid [-Y]
     pw    [-R rootdir] [-V etcdir] groupmod [-n] name|gid    [-g newgid] | -g gid
    [-C config] [-q] [-l newname] [-M members] [-m newmembers]
    [-d oldmembers]    [-h fd | -H fd]    [-N] [-P] [-Y]
     pw    [-R rootdir] [-V etcdir] groupshow [-n]    name|gid | -g gid [-F] [-P]
    [-a]
     pw    [-R rootdir] [-V etcdir] groupnext [-C config] [-q]
     pw    [-R rootdir] [-V etcdir] lock [-n] name|uid | -u uid [-C config] [-q]
     pw    [-R rootdir] [-V etcdir] unlock    [-n] name|uid |    -u uid [-C config]
    [-q]
 
It's right there in the man page:
Code: 
     -h fd         This option provides a special interface by which
                   interactive scripts can set an account password using pw.
 
leebrown66 said:
It's right there in the man page:
Code: 
     -h fd         This option provides a special interface by which
                   interactive scripts can set an account password using pw.
Click to expand...
I wish I understood this option.

An example of its use would be helpful... I'll see if I can find one.
 
Is it secure to set the root password by a script?

If it is a root-only script or root/sudo-only command, root would need access in advance, so there seems to be no use. If it is a common user script anyone can get access to root by just reading the script. IMHO a violation of security principle.

Q: Is there a recommended way to set the root password from a shell script?

A: Yes, recommended way is not to do so.

The only reasonable application would be for an installation script to prepare a lot of new workstations, and set the root password to a default admin one.
 
meine said:
Q: Is there a recommended way to set the root password from a shell script?

A: Yes, recommended way is not to do so.

The only reasonable application would be for an installation script to prepare a lot of new workstations, and set the root password to a default admin one.
Click to expand...
I disagree. Setting root password with script is basically a requirement in certain environments. As covacat mentioned above you can use a hash and not plain password too.

Try setting up root password every 90 days on a farm with 1000+ servers. While I've no doubt there are people doing it manually this is one of those reasons for a script solution.
 
_martin said:
Try setting up root password every 90 days on a farm with 1000+ servers.
Click to expand...
Ideally you'd have some sort of password management tool that will automagically change root's password every X amount of time. You shouldn't need to use the password most of the time anyway, but if you do require it it can be fetched from a password vault.
 
A suggestion by Kai Burghardt was to use something like this.

Bash: 
pw usermod -n root -h 0 << 'EOT'
mysecretpassword
EOT

For my own personal use I like to have a blank password, which I can set by passwd ENTER ENTER.
If I don't do this I have a nul password and can't sign in to sshd. If I set it to blank I can login. I tried use the above method using

Bash: 
pw usermod -n root -h 0 << 'EOT'
""
EOT

but that did not work. Is there any way to do what I want?
 
SirDice said:
That probably set the password to "" (two double quotes). Have you tried just an empty line?

As it's just empty, why not use echo "" | pw usermod -n root -h 0?
Click to expand...
If the password was set to "" there would have been a password prompt at login, but there wasn't.

I'll try your suggestion.

I also wondered about using a newline character '\n' in a heredoc, but that doesn't seem to work.
 
You must log in or register to reply here.
Back
Top