sysadmin2 Posted September 19, 2017 Share Posted September 19, 2017 Hello, I would like to use the reset root password option for Linux hosts (when they expire or after a check-out). There is only one problem, in my environment, root is not permitted to login through ssh. I am wondering if it is possible to specify a privileged account to ssh in and then reset the root password? Thanks. Link to comment Share on other sites More sharing options...
support Posted September 20, 2017 Share Posted September 20, 2017 Hi sysadmin2, We have included support for this type of scenario in Passwordstate 8. If you are running this version then you should be able to use section 13 of the below document to help you set your system up correctly: https://www.clickstudios.com.au/downloads/version8/Password_Discovery_Reset_and_Validation_Requirements.pdf If you need to upgrade, please use this document, as you will need to be on the latest version: https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf I hope this helps and can you let us know how you go? Thanks, Support Link to comment Share on other sites More sharing options...
Sarge Posted September 20, 2017 Share Posted September 20, 2017 Hi, Yes, it's possible. It's far easier if you use LDAP or IPA. You'll need to add the following lines to sudoers. Where <username> is the username of the priv account to handle the resets. Quote ##Request root password for user <username> for Passwordstate validation scripts. Defaults:<username> rootpw Next... Create a linux host which can be used to reset the Priv Account credentials when they expire. (Assuming they do expire, ours do, so we reset our priv account creds 10 days prior to it's actual expiration date) Create the credentials for the priv account in a Password List enabled for password resets, link the creds to the host created above, and enable resets. Make sure validation and reset status have worked. Assuming they have, keep going with step 4. Create a priv account in Passwordstate > Administration > Privileged Account Credentials, and link it to existing credentials. (Created step 2) Create the host for which you want to reset root password. In a Password List enabled for resets, create the current root users credentials; enable them for validation and resets. On the reset options tab ensure you select the Priv Account you created previously. On the heartbeat options tab ensure you tick "Use the Privileged Account Credential selected on the 'Reset Options' tab to perform the authentication for this validation (only used for Linux root accounts if required): " As soon as you click save it will go off and reset the root password, assuming you've done everything correctly it'll go through without an issue. Details can also be found in the user manual. Make sure you've test against your dev environment prior to implementing in production. Link to comment Share on other sites More sharing options...
sysadmin2 Posted September 20, 2017 Author Share Posted September 20, 2017 Thanks for the feedback - I was able to get this working, the only thing that was missing was specifying the user account and command to be run in the sudoers file. Along with adding: ##Request root password for user <username> for Passwordstate validation scripts. Defaults:<username> rootpw I also had to add: <username> ALL=(ALL) /bin/passwd, /bin/echo The above step may be a given though, depending on who is setting the configuration. There is one other problem that I am experiencing. I am trying to link a privileged account to an account from a password list that is enabled for resets but the only option I have from the dropdown is: -- Not Required -- Am I missing a permission that allows the account to be linked? If so, I cannot find where to set it. Thanks again for the help. Link to comment Share on other sites More sharing options...
support Posted September 20, 2017 Share Posted September 20, 2017 Thanks Sarge for helping and great to see you got it working sysadmin2. FYI it was Sarge who pretty much drove the development of this feature, and provided everything we needed to include it on our software, and we forever thank him for it:) The new issue you have is an easy one to fix - If you go to Administration -> Privileged Account Credentials you'll be able to grant yourself (and anyone else that wants to be able to use it) permissions from the Actions Menu as per below screenshot - After you do this you'll be able to select it in your Password Record. Hope this helps. Link to comment Share on other sites More sharing options...
sysadmin2 Posted September 21, 2017 Author Share Posted September 21, 2017 Yes, I already have permission to this privileged account. I am trying to link it to a password record which is enabled for password resets. However, I do not have any options when I choose the Link To Password dropdown. This is off-topic from my original post, please let me know if I should create a new thread. Thanks. Link to comment Share on other sites More sharing options...
support Posted September 21, 2017 Share Posted September 21, 2017 Sorry sysadmin2, I read your post too quickly and was thinking you were talking about a different area:( As long as the username in your Privileged Account screen matches that of a separate Password Record that you have access to, and that Password Record is enabled for resets, then you should be able to select it from this drop down list. Here's some screenshots to help: Does this help at all? Regards, Support Click Studios Link to comment Share on other sites More sharing options...
sysadmin2 Posted September 22, 2017 Author Share Posted September 22, 2017 Yes, thank you. I had the domain\username listed in the password list even though domain was specified in the domain field. Link to comment Share on other sites More sharing options...
support Posted September 22, 2017 Share Posted September 22, 2017 Thanks for letting us know. Link to comment Share on other sites More sharing options...
Sarge Posted September 25, 2017 Share Posted September 25, 2017 On 21/09/2017 at 6:04 AM, sysadmin2 said: I also had to add: <username> ALL=(ALL) /bin/passwd, /bin/echo Really depends how your sudoers is setup, out of the box RHEL, CentOS and Mint don't require the above change. On 21/09/2017 at 8:12 AM, support said: FYI it was Sarge who pretty much drove the development of this feature, and provided everything we needed to include it on our software, and we forever thank him for it:) Shucks. Thanks guys. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now