Hello folks,
Unfortunately I have to add 2 users on 200 servers that do not have centralized authentication or sudo or the same room password. I tried doing this with expect and "su -" but the script fails or acts funny. Please advise me or tell me where I need to look...
Thanks and regards, Bazy
Greetings,
On Thu, Apr 1, 2010 at 2:32 PM, Bazy bazy84@gmail.com wrote:
Hello folks,
Unfortunately I have to add 2 users on 200 servers that do not
have you checked man newusers?
Regards,
Rajagopal
On Thu, Apr 1, 2010 at 12:35 PM, Rajagopal Swaminathan raju.rajsand@gmail.com wrote:
Greetings,
On Thu, Apr 1, 2010 at 2:32 PM, Bazy bazy84@gmail.com wrote:
Hello folks,
Unfortunately I have to add 2 users on 200 servers that do not
have you checked man newusers?
Regards,
Rajagopal
Thanks Raja. My problem is connecting to those 200 servers and su-ing in, they all have different root passwords.
Greetings,
On Thu, Apr 1, 2010 at 3:43 PM, Bazy bazy84@gmail.com wrote:
Thanks Raja. My problem is connecting to those 200 servers and su-ing in, they all have different root passwords.
If you have _that_ kind of infrastructure you are better off using a Directory server too.
If you have telnet, you can try accept to automate it.
Regards,
Rajagopal
Bazy wrote:
On Thu, Apr 1, 2010 at 12:35 PM, Rajagopal Swaminathan raju.rajsand@gmail.com wrote:
Greetings,
On Thu, Apr 1, 2010 at 2:32 PM, Bazy bazy84@gmail.com wrote:
Hello folks,
Unfortunately I have to add 2 users on 200 servers that do not
have you checked man newusers?
Regards,
Rajagopal
Thanks Raja. My problem is connecting to those 200 servers and su-ing in, they all have different root passwords.
If you need to manage a bunch of servers centrally, you probably want to set up root ssh access with keys so you can script it. You could use LDAP for central authentication for this case, but how do you do updates and other changes?
On Thu, Apr 1, 2010 at 5:02 AM, Bazy bazy84@gmail.com wrote:
Hello folks,
Unfortunately I have to add 2 users on 200 servers that do not have centralized authentication or sudo or the same room password. I tried doing this with expect and "su -" but the script fails or acts funny. Please advise me or tell me where I need to look...
Short of finding some remotely exploitable vulnerability, you'll have to visit each server and login. Imagine if you *could* create IDs without root authority? :D
Are the servers identically configured?
If you can login remotely as root you can automate some of them via expect. What issues were you encountering?
If you're doing this it might be the perfect opportunity to add some sort of remote management or authentication to the systems.
Short of finding some remotely exploitable vulnerability, you'll have to visit each server and login. Imagine if you *could* create IDs without root authority? :D
Are the servers identically configured?
If you can login remotely as root you can automate some of them via expect. What issues were you encountering?
If you're doing this it might be the perfect opportunity to add some sort of remote management or authentication to the systems.
I cannot do any changes to the environment therefor I cannot configure centralized authentication :-) It's fun stuff. I managed to find a way with perl and Net::SSH::Expect.
The simple expect script would enter the su password and die without sending the adduser commands.
Thanks everyone
On Apr 1, 2010, at 9:24 AM, Bazy bazy84@gmail.com wrote:
Short of finding some remotely exploitable vulnerability, you'll have to visit each server and login. Imagine if you *could* create IDs without root authority? :D
Are the servers identically configured?
If you can login remotely as root you can automate some of them via expect. What issues were you encountering?
If you're doing this it might be the perfect opportunity to add some sort of remote management or authentication to the systems.
I cannot do any changes to the environment therefor I cannot configure centralized authentication :-) It's fun stuff. I managed to find a way with perl and Net::SSH::Expect.
The simple expect script would enter the su password and die without sending the adduser commands.
Like another poster suggested, create root .ssh key, copy it to each box, modify sshd.conf to allow login via either key or password in each box, you hold the key, they hold the password.
You can then use one of those ssh cluster utilities out there that issues the same command on a list of servers.
That is the best way and it requires minor changes with zero impact to the operational environment.
-Ross
If you have your own account on each of the boxes the ssh key method is the best.
1) Create ssh keys for YOUR unprivileged user account.
2) Add YOUR account to /etc/sudoers by adding: user ALL=NOPASSWD: /bin/su -
Then from there you can use clusterssh to connect to all the boxes simultaneously. Issue the 'sudo su -' command while logged in with your account, then run add the new users on all of the systems.
Just another idea.
Ryan Manikowski
]] Devision Media Services LLC [[ www.devision.us ryan@devision.us | 716.771.2282
On 4/1/2010 10:09 AM, Ross Walker wrote:
On Apr 1, 2010, at 9:24 AM, Bazy bazy84@gmail.com wrote:
Short of finding some remotely exploitable vulnerability, you'll have to visit each server and login. Imagine if you *could* create IDs without root authority? :D
Are the servers identically configured?
If you can login remotely as root you can automate some of them via expect. What issues were you encountering?
If you're doing this it might be the perfect opportunity to add some sort of remote management or authentication to the systems.
I cannot do any changes to the environment therefor I cannot configure centralized authentication :-) It's fun stuff. I managed to find a way with perl and Net::SSH::Expect.
The simple expect script would enter the su password and die without sending the adduser commands.
Like another poster suggested, create root .ssh key, copy it to each box, modify sshd.conf to allow login via either key or password in each box, you hold the key, they hold the password.
You can then use one of those ssh cluster utilities out there that issues the same command on a list of servers.
That is the best way and it requires minor changes with zero impact to the operational environment.
-Ross
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Apr 1, 2010 at 11:20 AM, Ryan Manikowski ryan@devision.us wrote:
If you have your own account on each of the boxes the ssh key method is the best.
Create ssh keys for YOUR unprivileged user account.
Add YOUR account to /etc/sudoers by adding: user ALL=NOPASSWD:
/bin/su -
Then from there you can use clusterssh to connect to all the boxes simultaneously. Issue the 'sudo su -' command while logged in with your account, then run add the new users on all of the systems.
Might save a step to just add ALL to the user sudo... That way doesn't need to su over..
On 4/1/2010 1:12 PM, Kwan Lowe wrote:
On Thu, Apr 1, 2010 at 11:20 AM, Ryan Manikowskiryan@devision.us wrote:
If you have your own account on each of the boxes the ssh key method is the best.
Create ssh keys for YOUR unprivileged user account.
Add YOUR account to /etc/sudoers by adding: user ALL=NOPASSWD:
/bin/su -
Then from there you can use clusterssh to connect to all the boxes simultaneously. Issue the 'sudo su -' command while logged in with your account, then run add the new users on all of the systems.
Might save a step to just add ALL to the user sudo... That way doesn't need to su over..
Or set up the ssh key to run as root on the targets from your control login in the first place and avoid the need to su/sudo at all.
What about Func in EPEL? It can handle the ssh keys for you as well.
https://fedorahosted.org/func/
*I have never used this in CentOS or any package from EPEL for that matter.
-Kris
-
Bazy -
Kristopher Kane -
Kwan Lowe -
Les Mikesell -
Rajagopal Swaminathan -
Ross Walker -
Ryan Manikowski