Reset root password with different account

[sysadmin2]

Hello,

 

I would like to use the reset root password option for Linux hosts (when they expire or after a check-out). There is only one problem, in my environment, root is not permitted to login through ssh. I am wondering if it is possible to specify a privileged account to ssh in and then reset the root password?

 

Thanks.

[support]

Hi sysadmin2,

 

We have included support for this type of scenario in Passwordstate 8.  If you are running this version then you should be able to use section 13 of the below document to help you set your system up correctly:

 

https://www.clickstudios.com.au/downloads/version8/Password_Discovery_Reset_and_Validation_Requirements.pdf

 

If you need to upgrade, please use this document, as you will need to be on the latest version:  https://www.clickstudios.com.au/downloads/version8/Upgrade_Instructions.pdf

 

I hope this helps and can you let us know how you go?

 

Thanks,

Support

[Sarge]

Hi,

 

Yes, it's possible. It's far easier if you use LDAP or IPA.

You'll need to add the following lines to sudoers.

Where <username> is the username of the priv account to handle the resets.

Quote

##Request root password for user <username> for Passwordstate validation scripts. 
Defaults:<username> rootpw 

Next...

1. Create a linux host which can be used to reset the Priv Account credentials when they expire. (Assuming they do expire, ours do, so we reset our priv account creds 10 days prior to it's actual expiration date)
2. Create the credentials for the priv account in a Password List enabled for password resets, link the creds to the host created above, and enable resets.
3. Make sure validation and reset status have worked. Assuming they have, keep going with step 4.
4. Create a priv account in Passwordstate > Administration > Privileged Account Credentials, and link it to existing credentials. (Created step 2)
5. Create the host for which you want to reset root password.
6. In a Password List enabled for resets, create the current root users credentials; enable them for validation and resets. On the reset options tab ensure you select the Priv Account you created previously. On the heartbeat options tab ensure you tick "Use the Privileged Account Credential selected on the 'Reset Options' tab to perform the authentication for this validation (only used for Linux root accounts if required): "

As soon as you click save it will go off and reset the root password, assuming you've done everything correctly it'll go through without an issue.
Details can also be found in the user manual.

 

Make sure you've test against your dev environment prior to implementing in production.

[sysadmin2]

Thanks for the feedback - I was able to get this working, the only thing that was missing was specifying the user account and command to be run in the sudoers file.

 

Along with adding:

 

##Request root password for user <username> for Passwordstate validation scripts. 
Defaults:<username> rootpw 

 

I also had to add:

<username> ALL=(ALL) /bin/passwd, /bin/echo

 

The above step may be a given though, depending on who is setting the configuration.

 

There is one other problem that I am experiencing. I am trying to link a privileged account to an account from a password list that is enabled for resets but the only option I have from the dropdown is: -- Not Required -- 

 

Am I missing a permission that allows the account to be linked? If so, I cannot find where to set it.

 

Thanks again for the help.

 

 

[support]

Thanks Sarge for helping and great to see you got it working sysadmin2.

 

FYI it was Sarge who pretty much drove the development of this feature, and provided everything we needed to include it on our software, and we forever thank him for it:)

 

The new issue you have is an easy one to fix - If you go to Administration -> Privileged Account Credentials you'll be able to grant yourself (and anyone else that wants to be able to use it) permissions from the Actions Menu as per below screenshot - After you do this you'll be able to select it in your Password Record.  Hope this helps.

 

[sysadmin2]

Yes, I already have permission to this privileged account. I am trying to link it to a password record which is enabled for password resets. However, I do not have any options when I choose the Link To Password dropdown.

 

This is off-topic from my original post, please let me know if I should create a new thread.

 

Thanks.

[support]

Sorry sysadmin2,

 

I read your post too quickly and was thinking you were talking about a different area:(

 

As long as the username in your Privileged Account screen matches that of a separate Password Record that you have access to, and that Password Record is enabled for resets, then you should be able to select it from this drop down list.  Here's some screenshots to help:

 

 

 

Does this help at all?

 

Regards,

 

Support

Click Studios

[sysadmin2]

Yes, thank you. I had the domain\username listed in the password list even though domain was specified in the domain field.

[support]

Thanks for letting us know.

[Sarge]

On 21/09/2017 at 6:04 AM, sysadmin2 said:

I also had to add:

<username> ALL=(ALL) /bin/passwd, /bin/echo

Really depends how your sudoers is setup, out of the box RHEL, CentOS and Mint don't require the above change.

 

On 21/09/2017 at 8:12 AM, support said:

FYI it was Sarge who pretty much drove the development of this feature, and provided everything we needed to include it on our software, and we forever thank him for it:)

 

Shucks. Thanks guys.