Hello,
I have list of around 400 devices. I need to restart a service /etc/init.d/psap23.sh in all of them, but it should restart by root only.
Those have some other kind of light Linux. There is no sudo package in that and we can't/shouldn't install. Direct root login is not allowed. I login with user gis and do su to root and then restart that service.
All are having same password for gis and same password for root
Is there any way, I can pass command with some loop instead of login on them one by one ?
I have Mobaxterm and I can run for loop from them. Also, I have ansible, if there is any option to do it.
Please suggest.
Thanks
Last edited by solaris_1977; 10-23-2018 at 03:28 PM..
You'll need the expect tool to bruteforce a username and password in such an insecure manner.
That they've explicitly banned all the sensible options for automation, however, suggests to me that they really, really, really don't want automation to happen.
Could you have a cron job on each that looks for a central marker file? You could store the 'last restart' time on each device and compare it to the content of a central file to decide if you need to run the restart process, however I suppose that this is still automation.
One does wonder why do they not want system processes automated? If you are the admin, then you have the power to make your own decisions.
You could, for instance, open another port that listens for your connection and logs you on.
You say that direct root login is not permitted, then perhaps you could change it, but not allow password login. Would that help?
Well, if you cannot / are forbidden to use tools at your disposal...
As Robin suggested, only half sane response is to use a root crontab on each box, with a shell script to check for file, perhaps read it for additional info (like last restart).
Then you can just login with user gis, touch a file and restart will happen or similar action required.
Be careful to sanitize the input and limit the script to root only (700 for instance).
User gis umask and permission as tight as you can, and create a directory which can only be modified by that specific user.
Consider that script and a file to be a security issue and treat the user input like cancer.
This above is all wrong and existing methods should be used rather, various much more secure tools exist today.
Using keys or passwords, direct root login is still a great security risk and should be avoided at all costs.
Folks keep those keys on personal computers, mobiles phones and such and are in general careless.
In general it is a good idea and a valid safety measure to forbid direct root-logins. Still, someone has to become root from time to time and nobody can be expected to do 400 systems manually. Locking the door makes sense. To block it with masonry without creating another entry is idiotic.
If you have Ansible then you have some working ssh-connection with the possibility to execute something with root-privileges because this is how Ansible contacts its clients. Write an Ansible-routine then and deploy it to all eligible systems. This is the preferred solution
If you, for some reason, can't do that, use the ssh-connection directly: use the existing ssh-keys to connect to the systems and run the command(s) with root privileges the same way Ansible does it. You can put that in a script which does that in a loop and cycles through all the systems to be deployed. I once wrote such a script for a site where no Ansible or similar tool was available, here is the core function of it. It won't run outright without the rest of the solution (~1500 lines of code, too much to post it) but you might use it to create your own solution.
The function gets a hostname and executes a list of commands stored in an array by connecting to the host using a globally defined username and executes one command each iteration of the main loop. The success/failure of each command is then logged (f_CmdLog() and f_CmdErr()):
Code:
# --------------------------------------------- pDeployList()
function pDeployList
{
typeset chHost="$1"
typeset -i iRetVal=0
typeset -i iCmdCnt=1
$chFullDebug
while [ $iCmdCnt -le ${#achCmd[*]} ] ; do
if $SIMULATE ssh -nqo 'BatchMode = yes' \
"${chUser}@${chHost}" \
"${achCmd[$iCmdCnt]}" ; then
f_CmdLog "executed ${achCmd[$iCmdCnt]} as ${chUser}@${chHost}"
else
f_CmdError "${chUser}@${chHost} # ${achCmd[$iCmdCnt]} ==> $?"
iRetVal=1
fi
(( iCmdCnt += 1 ))
done
return $iRetVal
}
Just my two cents worth here, having to restart a service on 400 servers - why?
Does the service regularly fail?
Has there been an upgrade?
To give a more comprehensive answer, some more information is required. I also note that you say the service should be run as root, well running what I believe is a SAP service as root can lead to other issues. There should be a sapadm or similar user for starting these "services".
Regards
Gull04
Last edited by gull04; 10-29-2018 at 12:49 PM..
Reason: Typo
i do not have root on a solairs 10 server , however i do have the root role, i was wondering if I can change the root password as a a role with the passwd command? I have not tried yet.
and do i have to use the # chgkey -p afterwards?
i need to patch is why i am asking.
thanks (1 Reply)
We are having a little problem on a server. We want that some users should be able to do e.g. sudo and become root, but with the restriction that the user can't change root password. That is, a guarantee that we still can login to that server and become root no matter of what the other users will... (2 Replies)
Hi All
Hope it's okay to post on this sub-forum, couldn't find a better place
I've got a 480R running solaris 8 with veritas volume manager managing all filesystems, including an encapsulated root disk (I believe the root disk is encapsulated as one of the root mirror disks has an entry under... (1 Reply)
I have several clients (over 120) connected to my server. I want to push some patch to all the client using a script which copies the file from the server to a specific path on the client and then installs it.
But for installation of the patch, it needs to be done thorough root login on client.... (7 Replies)
Hello All,
I have several solaris boxes running Solaris 8. When changing root passwords on them, all will simply ask for the new root password to change and of course to re-type the new password. One of the systems however asks for the existing root password before it will display the new password... (8 Replies)
Hi Friends.
I am new to scripting now i want to change the root password using the script with standard password.
which is the easy scripting to learn for the beginner, Thanks in advance. (2 Replies)
Hello. I searched the internet for answers and don't seem to find any for about a day now.
My problem. I want to su to a non-root account non-interactively, e.g. if I want to temporarily become prdusr, I want to su prdusr without keying prdusr's password every time.
What I want is... (10 Replies)
Hi folks,
I'm trying to install a program, and I want to place some of the executables into /usr/bin so that they can be executed from any folder on the computer. I've been giveng the root password, but told never to log in directly as root. Instead, I can wait for a password prompt. However, I... (2 Replies)
We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
10-29-2018
