salt quick tip - changing passwords on multiple clusters

Salt is a configuration management system and a remote execution framework written in Python. It runs on Linux, BSD, and even Windows. It provide various execution modules which help you automate tasks on heterrougenous clusters. Usually, you would like to provide a single password to all Linux hosts for a user. On such method would be to install and configure an authetication server like LDAP or a similar. However, LDAP and similar services are usually very complex to install and configure and even learn. If your cluster is small or you have a little amount of users, you might have been thinking of different sollution. One such solution would be to synchronize /etc/shadow files between machines. This requires some kind of script or manual involvement. Using salt and sudo you can automate the process. Here is how you can do it. First, add the following line to your /etc/sudoers on the salt master:

# users in the group cops can run this script without a password
%cluster-users ALL=(ALL:ALL) PASSWD: /usr/local/bin/cluster-changepass

This will allow users in the cluster-users group to run the command /usr/local/bin/cluster-changepass as root after giving their password. Now let's creat the script that actually does the job:

#!/bin/sh
echo "Changing password for:" $SUDO_USER
read -s -p "New Password: " PASSWORD1
echo
read -s -p "repeat Password: " PASSWORD2
if [ $PASSWORD1 != $PASSWORD2 ]; then
    echo "The passwords don't match!"
    exit 1
fi
echo $PASSWORD
HASH=`mkpasswd -m sha-512 -s $PASSWORD1`
salt '*' shadow.set_password $SUDO_USER $HASH

Save the above content to /usr/local/bin/cluster-changepass and change the permissions and ownership of the script:

$ chmod 0755 /usr/local/bin/cluster-changepass
$ chwon root:root /usr/local/bin/cluster-changepass

Now, your users can modify their password after typing their current password. For the script above to work, the command mkpasswd has to be installed, on debian based systems it is found in the package whois.

This entry was tagged: salt, linux, sudo

Share this post:

Discussions/Feedback.

comments powered by Disqus