Secure method of changing a user's password via Python script/non-interactively

Posted by Matthew Rankin on Server Fault See other posts from Server Fault or by Matthew Rankin
Published on 2010-03-16T13:53:50Z Indexed on 2010/03/16 13:56 UTC
Read the original article Hit count: 468

Filed under:
|
|
|
|

I've created a Python script using Fabric to configure a freshly built Slicehost Ubuntu slice. In case you're not familiar with Fabric, it uses Paramiko, a Python SSH2 client, to provide remote access "for application deployment or systems administration tasks."

One of the first things I have the Fabric script do is to create a new admin user and set their password. Unlike Pexpect, Fabric cannot handle interactive commands on the remote system, so I need to set the user's password non-interactively. At present, I'm using the chpasswd command to change the password. This transmits the password as clear text over SSH to the remote system.

Questions

  1. Is my current method of setting the password a security concern? Currently, the drawback I see is that Fabric shows the password as clear text on my local system as follows:
    [xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd.
    Since I only run the Fabric script from my laptop, I don't think this is a security issue, but I'm interested in others' input.
  2. Is there a better method for setting the user's password non-interactively? Another option, would be to use Pexpect from within the Fabric script to set the password.

Current Code

# Fabric imports and host configuration excluded for brevity
root_password = getpass.getpass("Root's password given by SliceManager: ")
admin_username = prompt("Enter a username for the admin user to create: ")
admin_password = getpass.getpass("Enter a password for the admin user: ")
env.user = 'root'
env.password = root_password
# Create the admin group and add it to the sudoers file
admin_group = 'admin'
run('addgroup {group}'.format(group=admin_group))
run('echo "%{group} ALL=(ALL) ALL" >> /etc/sudoers'.format(
    group=admin_group)
)
# Create the new admin user (default group=username); add to admin group
run('adduser {username} --disabled-password --gecos ""'.format(
    username=admin_username)
)
run('adduser {username} {group}'.format(
    username=admin_username,
    group=admin_group)
)
# Set the password for the new admin user
run('echo "{username}:{password}" | chpasswd'.format(
    username=admin_username,
    password=admin_password)
)

Local System Terminal I/O

$ fab config_rebuilt_slice
Root's password given by SliceManager: 
Enter a username for the admin user to create: johnsmith
Enter a password for the admin user: 
[xxx.xx.xx.xxx] run: addgroup admin
[xxx.xx.xx.xxx] out: Adding group `admin' (GID 1000) ...
[xxx.xx.xx.xxx] out: Done.
[xxx.xx.xx.xxx] run: echo "%admin ALL=(ALL) ALL" >> /etc/sudoers
[xxx.xx.xx.xxx] run: adduser johnsmith --disabled-password --gecos ""
[xxx.xx.xx.xxx] out: Adding user `johnsmith' ...
[xxx.xx.xx.xxx] out: Adding new group `johnsmith' (1001) ...
[xxx.xx.xx.xxx] out: Adding new user `johnsmith' (1000) with group `johnsmith' ...
[xxx.xx.xx.xxx] out: Creating home directory `/home/johnsmith' ...
[xxx.xx.xx.xxx] out: Copying files from `/etc/skel' ...
[xxx.xx.xx.xxx] run: adduser johnsmith admin
[xxx.xx.xx.xxx] out: Adding user `johnsmith' to group `admin' ...
[xxx.xx.xx.xxx] out: Adding user johnsmith to group admin
[xxx.xx.xx.xxx] out: Done.
[xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd
[xxx.xx.xx.xxx] run: passwd --lock root
[xxx.xx.xx.xxx] out: passwd: password expiry information changed.

Done.
Disconnecting from [email protected]... done.

© Server Fault or respective owner

Related posts about python

Related posts about fabric

  • Windows Azure Learning Plan - Application Fabric

    as seen on SQL Blog - Search for 'SQL Blog'
    This is one in a series of posts on a Windows Azure Learning Plan. You can find the main post here. This one deals with the Application Fabric for Windows Azure. It serves three main purposes - Access Control, Caching, and as a Service Bus.   Overview and Training Overview… >>> More

  • fabric and svn password

    as seen on Stack Overflow - Search for 'Stack Overflow'
    Assuming that I cannot run something like this with Fabric: run("svn update --password 'password' .") how's the proper way to pass to Fabric the password for the remote interactive command line? I am not sure, but the svn server we're using might have some restrictions to not allow --non-interactive… >>> More

  • Python Fabric error

    as seen on Stack Overflow - Search for 'Stack Overflow'
    I'm running fabric (Django deployment to apache) and everything seems to work fine until I get to the task for installing the site: def install_site(): "Add the virtualhost file to apache" require('release', provided_by=[deploy, setup]) sudo('cd %(path)/releases/%(release)/%(release);… >>> More

  • How to set target hosts in Fabric file

    as seen on Stack Overflow - Search for 'Stack Overflow'
    I want to use Fabric to deploy my web app code to development, staging and production servers. My fabfile: def deploy_2_dev(): deploy('dev') def deploy_2_staging(): deploy('staging') def deploy_2_prod(): deploy('prod') def deploy(server): print 'env.hosts:', env.hosts env.hosts = [server] … >>> More

  • fabric deploy problem

    as seen on Stack Overflow - Search for 'Stack Overflow'
    Hi, I'm trying to deploy a django app with fabric and get the following error: Alexs-MacBook:fabric alex$ fab config:instance=peergw deploy -H <ip> - u <username> -p <password> [192.168.2.93] run: cat /etc/issue Traceback (most recent call last): File "build/bdist.macosx-10… >>> More