In general it is a good idea and a valid safety measure to forbid direct root-logins. Still, someone has to become root from time to time and nobody can be expected to do 400 systems manually. Locking the door makes sense. To block it with masonry without creating another entry is idiotic.
If you have Ansible then you have some working ssh-connection with the possibility to execute something with root-privileges because this is how Ansible contacts its clients. Write an Ansible-routine then and deploy it to all eligible systems. This is the preferred solution
If you, for some reason, can't do that, use the ssh-connection directly: use the existing ssh-keys to connect to the systems and run the command(s) with root privileges the same way Ansible does it. You can put that in a script which does that in a loop and cycles through all the systems to be deployed. I once wrote such a script for a site where no Ansible or similar tool was available, here is the core function of it. It won't run outright without the rest of the solution (~1500 lines of code, too much to post it) but you might use it to create your own solution.
The function gets a hostname and executes a list of commands stored in an array by connecting to the host using a globally defined username and executes one command each iteration of the main loop. The success/failure of each command is then logged (f_CmdLog() and f_CmdErr()):
Code:
# --------------------------------------------- pDeployList()
function pDeployList
{
typeset chHost="$1"
typeset -i iRetVal=0
typeset -i iCmdCnt=1
$chFullDebug
while [ $iCmdCnt -le ${#achCmd[*]} ] ; do
if $SIMULATE ssh -nqo 'BatchMode = yes' \
"${chUser}@${chHost}" \
"${achCmd[$iCmdCnt]}" ; then
f_CmdLog "executed ${achCmd[$iCmdCnt]} as ${chUser}@${chHost}"
else
f_CmdError "${chUser}@${chHost} # ${achCmd[$iCmdCnt]} ==> $?"
iRetVal=1
fi
(( iCmdCnt += 1 ))
done
return $iRetVal
}
We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Hi folks,
I'm trying to install a program, and I want to place some of the executables into /usr/bin so that they can be executed from any folder on the computer. I've been giveng the root password, but told never to log in directly as root. Instead, I can wait for a password prompt. However, I... (2 Replies)
Hello. I searched the internet for answers and don't seem to find any for about a day now.
My problem. I want to su to a non-root account non-interactively, e.g. if I want to temporarily become prdusr, I want to su prdusr without keying prdusr's password every time.
What I want is... (10 Replies)
Hi Friends.
I am new to scripting now i want to change the root password using the script with standard password.
which is the easy scripting to learn for the beginner, Thanks in advance. (2 Replies)
Hello All,
I have several solaris boxes running Solaris 8. When changing root passwords on them, all will simply ask for the new root password to change and of course to re-type the new password. One of the systems however asks for the existing root password before it will display the new password... (8 Replies)
I have several clients (over 120) connected to my server. I want to push some patch to all the client using a script which copies the file from the server to a specific path on the client and then installs it.
But for installation of the patch, it needs to be done thorough root login on client.... (7 Replies)
Hi All
Hope it's okay to post on this sub-forum, couldn't find a better place
I've got a 480R running solaris 8 with veritas volume manager managing all filesystems, including an encapsulated root disk (I believe the root disk is encapsulated as one of the root mirror disks has an entry under... (1 Reply)
We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
i do not have root on a solairs 10 server , however i do have the root role, i was wondering if I can change the root password as a a role with the passwd command? I have not tried yet.
and do i have to use the # chgkey -p afterwards?
i need to patch is why i am asking.
thanks (1 Reply)
Discussion started by: goya
1 Replies
LEARN ABOUT MOJAVE
dsenableroot
dsenableroot(8) BSD System Manager's Manual dsenableroot(8)NAME
dsenableroot -- enables or disables the root account.
SYNOPSIS
dsenableroot [-d] [-u username] [-p password] [-r rootPassword]
DESCRIPTION
dsenableroot sets the password for the root account if enabling the root user account. Otherwise, if disable [-d] is chosen, the root
account passwords are removed and the root user is disabled.
A list of flags and their descriptions:
-u username
Username of a user that has administrative privileges on this computer.
-p password
Password to use in conjunction with the specified username. If this is not specified, you will be prompted for entry.
-r rootPassword
Password to be used for the root account. If this is not specified for enabling, you will be prompted for entry.
EXAMPLES -dsenableroot
Your username will be used and you will be queried for both your password and the new root password to be set to enable the root
account.
-dsenableroot -d
Your username will be used and you will be queried for only your password to disable the root account.
-dsenableroot -u username -p userpassword -r rootpassword
The supplied arguments will be used to enable the root account.
-dsenableroot -d -u username -p userpassword
The supplied arguments will be used to disable the root account.
Mac OS August 08 2003 Mac OS