2

How can I check a remote machines root password?

I have a remote machines that are normally accessed via ssh root and other users. For security purposes I have a script to change all keys and user passwords periodically from a central server.

For non root users the password is updated like so.

ssh -i a_priv_key root@ip "echo 'user:NEWPASS' | chpasswd"

And I check it has actually changed with this.

ssh -i b_priv_key user@ip "echo NEWPASS | sudo -S ls /root"

However if I want to do the same with the root user I am stuck. The sudo -S ls /root always returns a listing with any password because we just ssh'd in to the remote machine as root.

And if we ssh in as user sudo prompts for user's password.

I have been trying to get something with su user && su root because I noticed it will prompt for a root password but am not able to script it like the above.

'login root' from the root shell will also always prompt for a password but I cannot script the clear-text password to that either.

I have read this question but was hoping for a inbuilt method to do it rather than writing a custom application that must be installed on the remote machines. How to check password with Linux?

dave.zap
  • 121
  • Using expect is a good way to automate that for commands that read the password from a pty (like you mentioned su or login.) You can run expect locally and have it start the ssh connection, so no need to install it on the remote machines. – filbranden May 29 '19 at 11:40
  • 1
    Also note that using echo NEWPASS on ssh is quite insecure! It might make it into log files and even be visible from ps, so you'd be leaking your passwords. At the very least, use something like <<<NEWPASS (assuming bash, this is a bash syntax) passing that to the stdin of ssh itself rather than as part of the command string. But expect is possibly a better way to make this slightly more secure (still pretty scary though.) – filbranden May 29 '19 at 11:44
  • "For security purposes I have a script to change all keys and user passwords periodically from a central server" - why aren't you using that central server to authenticate users directly? Then no need for password files on any of the satellite systems, and no need for scripts to distribute administrative level passwords (or hashes) – Chris Davies Jul 26 '23 at 10:20
  • Because you'd be unable to authenticate if for some reason connectivity to that one server for down? Even if you have have an HA cluster of LDAP machines, for instance, if the server you need to do maintenance on because it e.g. lost it's primary interface due to some glitch you'd be screwed and couldn't even log in via a console ... sure, you could still boot of a rescue CD, the question is then how much downtime can that one machine afford. – tink Mar 30 '24 at 18:57

1 Answers1

1

If configuring sudo on the target machine is an option, then you can set up rootpw for some certain command, which makes sudo ask for the root password rather than the user password. For example, you could add the following line in a file /etc/sudoers.d/lsrootpw (and restart sudo service if needed)

Defaults!/bin/ls        rootpw

By that, any user except root, when doing sudo ls will be asked the root password rather than their own password. Thus, you could test with

ssh -i b_priv_key root@ip su user sudo -S ls /root <<< "NEWPASS"

which would go one way or the other depending on whether the password NEWPASS is correct for root or not. That test will require a sudo user on the target.

Or, if you have Debian's runuser command, you could rather use nobody as in the following:

ssh -i b_priv_key root@ip runuser -u nobody -- sudo -S ls /root <<< "NEWPASS"

That should also consistently yield two different results depending on the password's correctness. In particular, a correct password results in a complaint about nobody not being in the sudoers file. Though you could deal with that by an additional declaration in /etc/sudoers.d/lsrootpw.

Of course, all in all this is not much different from having a custom application as it requires the installation of something on the target host(s). At the same time, it's all doable with a sequence of five remote commands (add lsrootpw, restart sudo, make the test, remove lsrootpw and restart sudo again)

Ralph Rönnquist
  • 3,253