Managing account passwords
In most managed environments, workstations will all
have either the same root password, or an admin account with a common password.
This allows support personnel to access any machine they support and perform
admin tasks. A problem arises when it is necessary or desirable to change the
password on these admin accounts. If each machine must be visited individually
in order to change the password, it probably won't happen very often, if at all.
Here's one way to ensure password consistency...
You'll need to deliver a script to
/etc/periodic/daily/
I use radmind, you could
use scp or Apple Remote Desktop or Timbuktu, or NetOctopus, or FileWave, or
...
The script must be owned by root
and the executable bit set. Since it contains an encrypted password, I
recommend chmod 700 so it is only readable by
root.
Here's the
script:
#!/bin/sh
niutil
-createprop . /users/name=XXXXX passwd
YYYYY
exit
0
XXXXX is the short name of the
admin account. If you don't know the shortname, log in as the admin account,
open the terminal, and type
'whoami'.
YYYYY is the encrypted
password. To generate this, in Terminal, use the openssl passwd
command:
[localhost:~] admin% openssl
passwd
Mypswd1
EACXL1BcAq0hU
You
would then use EACXL1BcAq0hU as the encrypted password for "Mypswd1" in the
script.
Name the script something like
700.passwordMaintenance and put it in
/etc/periodic/daily
It will run as part of
the daily maintenance tasks, which typically run at 3:15 AM every day. Machines
that are off or asleep at this time will never run the script. Anacron might be
an option - it can run scripts that were missed when a machine was off or
asleep.
An alternative would be to
write this script as a StartupItem, which means it would run at every restart.
In practice, I do both - I have the script run as a periodic task, and I have a
custom StartupItem also run the
script.
Since it is a periodic task,
not only does it change the password, but it will keep it set to your desired
password even if someone else changes it. This could be a good thing, or a bad
thing, depending on your point of
view.
This may break in 10.3 Panther,
depending on if the machine was upgraded from Jaguar, and if the affected
accounts use the new shadow password scheme. I expect to be able to fix it with
a revised script, but haven't had time to test yet.
Posted: Sat
- November 15, 2003 at 09:28 PM