By Mike Friesenegger

Novell's Mike Friesenegger was asked by a customer to propose a way to change the root password on large number of systems that they manage. His solution was to use the text policy in ZLM 7.2 to modify the password for root. Here is exactly how he did it.

DISCLAIMER: Please read and understand this whole document before attempting on any of your systems. You are playing with the root password!!

I was asked by a customer to propose a way to change the root password on large number of systems that they manage. My solution was to use the text policy in ZLM 7.2 to modify the password for root.

The assumption that I make in this document is that all of the managed systems currently have the same root password. You should be able to modify this document a bit if you have different root passwords across all of the managed systems.

Here's how I did it.

Click to view.

You will need to determine what the current password hash is for root. The easiest way is to "grep root /etc/shadow". The current password hash in this example is "syCU5sIQe3ykw".

You will also need to generate a new hash. Use the mkpassword command. In the example, I typed "mkpasswd password" and the hashed version of "password" is "0mtYQ5X0S21VQ".

The old and new hashes will be used to create the text file policy.

Click to view.

(Click image to enlarge.)

Open the ZENworks Control Center and create a new Text File Policy.

Click to view.

(Click image to enlarge.)

Name the policy and give it a description if you like.

Click to view.

(Click image to enlarge.)

Here are the file details and change details that you will need to add to your policy. Notice the search string and the new string fields contain the hashes from above.

I use the "^" at the beginning of the search string to make sure that my search begins at the start of each line in the shadow file. I want to guarantee that I am finding the root user!

One more thing to point out, I have set the maximum number of versions to retain to 5. This is great for putting "humpty-dumpty back together again" if the password change does not work as expected while doing your testing of the policy.

Click to view.

No pre-change and post-change options necessary.

Click to view.

Here is the summary page of the text file policy.

Click to view.

Next, let's assign the policy to a test server to perform a test. I assume you know how to assign a device to the policy so I am not going explain this step-by-step.

NOTE: Be sure to set the schedule type to "Relative to Refresh" for the test. This makes it easy to see if the policy works. You will probably want to schedule a specific time to enforce the policy for your production servers.

Click to view.

Let me suggest that you log into the test server before forcing a refresh of the ZLM agent. This is a precaution just in case the password change does not work properly. You will be able to copy the retained version of /etc/shadow back to repeat the test.

Type "grep root /etc/shadow" before the refresh. You should see the old hash.

Click on Refresh Server.

To verify that the change worked, repeat "grep root /etc/shadow" and you should see the new hash.