2

How can I check a remote machines root password?

I have a remote machines that are normally accessed via ssh root and other users. For security purposes I have a script to change all keys and user passwords periodically from a central server.

For non root users the password is updated like so.

ssh -i a_priv_key root@ip "echo 'user:NEWPASS' | chpasswd"

And I check it has actually changed with this.

ssh -i b_priv_key user@ip "echo NEWPASS | sudo -S ls /root"

However if I want to do the same with the root user I am stuck. The sudo -S ls /root always returns a listing with any password because we just ssh'd in to the remote machine as root.

And if we ssh in as user sudo prompts for user's password.

I have been trying to get something with su user && su root because I noticed it will prompt for a root password but am not able to script it like the above.

'login root' from the root shell will also always prompt for a password but I cannot script the clear-text password to that either.

I have read this question but was hoping for a inbuilt method to do it rather than writing a custom application that must be installed on the remote machines. How to check password with Linux?

dave.zap
  • 121
  • 2
  • Using `expect` is a good way to automate that for commands that read the password from a pty (like you mentioned `su` or `login`.) You can run `expect` locally and have it start the ssh connection, so no need to install it on the remote machines. – filbranden May 29 '19 at 11:40
  • 1
    Also note that using `echo NEWPASS` on ssh is quite insecure! It might make it into log files and even be visible from `ps`, so you'd be leaking your passwords. At the very least, use something like `<< – filbranden May 29 '19 at 11:44
  • "_For security purposes I have a script to change all keys and user passwords periodically from a central server_" - why aren't you using that central server to authenticate users directly? Then no need for password files on any of the satellite systems, and no need for scripts to distribute administrative level passwords (or hashes) – roaima Jul 26 '23 at 10:20

1 Answers1

0

If configuring sudo on the target machine is an option, then you can set up rootpw for some certain command, which makes sudo ask for the root password rather than the user password. For example, you could add the following line in a file /etc/sudoers.d/lsrootpw (and restart sudo service if needed)

Defaults!/bin/ls        rootpw

By that, any user except root, when doing sudo ls will be asked the root password rather than their own password. Thus, you could test with

ssh -i b_priv_key root@ip su user sudo -S ls /root <<< "NEWPASS"

which would go one way or the other depending on whether the password NEWPASS is correct for root or not. That test will require a sudo user on the target.

Or, if you have Debian's runuser command, you could rather use nobody as in the following:

ssh -i b_priv_key root@ip runuser -u nobody -- sudo -S ls /root <<< "NEWPASS"

That should also consistently yield two different results depending on the password's correctness. In particular, a correct password results in a complaint about nobody not being in the sudoers file. Though you could deal with that by an additional declaration in /etc/sudoers.d/lsrootpw.

Of course, all in all this is not much different from having a custom application as it requires the installation of something on the target host(s). At the same time, it's all doable with a sequence of five remote commands (add lsrootpw, restart sudo, make the test, remove lsrootpw and restart sudo again)

Ralph Rönnquist
  • 3,183
  • 1
  • 10
  • 11