Originally published June 19, 2020 @ 1:23 pm
Recently I ran into a situation where hundreds of VMs recently built via OpenShift/Ansible automation were missing an important local user account used for security audits. While our automation guys were working on tracking down and fixing the build configuration, I needed to add the account manually.
Luckily for me, we also use SaltStack for ad-hoc tasks: a sort of SSH on steroids, if you will. Automation is great when it works right. When it doesn’t, things get screwed up on a massive scale and may require manual intervention.
So, step one was to generate the hash for the default password used by the missing account:
read -s p
# type your password here and hit enter
h="$(perl -MPOSIX -le 'chomp($p=$ARGV[0]); @i = ("a".."z", "A".."Z", 0..9, ".", "/"); $s .= $i[rand @i] for 1..16; print crypt($p, "\$$s");' -- "$p")"
unset p
Now we can use Salt to create the user:
# What the account should look like in /etc/passwd svcaudit:x:33333:103:System Audit:/home/svcaudit:/bin/bash # How to add it with Salt salt --output=txt -L "$(cat server_list.txt)" user.add svcaudit uid=33333 gid=103 groups=sysadmins home=/home/svcaudit shell=/bin/bash fullname="System Audit"
And set the user’s password:
# Use Salt to propagate the hash to the servers on your list' salt --output=txt -L "$(cat server_list.txt)" shadow.set_password svcaudit "$h"
Experienced Unix/Linux System Administrator with 20-year background in Systems Analysis, Problem Resolution and Engineering Application Support in a large distributed Unix and Windows server environment. Strong problem determination skills. Good knowledge of networking, remote diagnostic techniques, firewalls and network security. Extensive experience with engineering application and database servers, high-availability systems, high-performance computing clusters, and process automation.
