jsumners/00README.md

## 00README.md

      
    Raw
  

              00README.md
            
          
    Change Well Known Passwords

This is an Ansible playbook for chaning default, well known, or missing passwords on a set of hosts.
To use it:

Start a listener: socat tcp4-listen:8000,fork stdout
Run the playbook: ansible-playbook update_password.pb.yml -e 'user=target_user' -e 'passwd=known_pass'

Your listener will receive notifications like:
foo.example.com: NO PASSWORD SET
foo.example.com: some-random-password


## set_random_password.sh
#!/bin/bash
#
# This script is for generating a random password, setting it for a specified
# user, and sending that password to a remote listener.

WHO=$(whoami)

# target user for password change
USER="{{user | default('jdoe')}}"
RECVR="{{dest_ip | default('10.0.1.5')}}"
PORT=8000

if [ $WHO != "root" ]; then
  echo 'need to be root'
  exit 1
fi

PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo;)

echo "$USER:$PASS" | chpasswd

if [ $? -eq 0 ]; then
  echo "$(hostname): $PASS" | nc $RECVR $PORT
else
  echo "$(hostname): FAILED" | nc $RECVR $PORT
fi

## test_password.sh
#!/bin/bash
#
# This script is used to test a known password against a specified user account.

WHO=$(whoami)

# user who's password to check
USER="{{user | default('jdoe')}}"
# password to check
PASSWD="{{passwd | default('not_so_secret')}}"
RECVR="{{dest_ip | default('10.0.1.5')}}"
PORT=8000

if [ $WHO != "root" ]; then
  echo 'need to be root'
  exit 2
fi

shadow=$(getent shadow $USER | cut -d':' -f2)
algo=$(echo $shadow | cut -d'$' -f2)
salt=$(echo $shadow | cut -d'$' -f3)
encpass=$(echo $shadow | cut -d'$' -f4)

pycheck="$(cat <<'EOF'
import sys
import os
import crypt
import spwd

shadow2 = crypt.crypt(os.environ['to_check'], spwd.getspnam(os.environ['the_user'])[1])
print shadow2
EOF
)"

case $algo in
  1)
    shadow2=$(echo "$PASSWD" | openssl passwd -stdin -1 -salt $salt)
    ;;
  [5-6]*)
    export to_check=$PASSWD
    export the_user=$USER
    shadow2=$(python -c "$pycheck")
    ;;
  "!!")
    shadow2='no passwd set'
    ;;
  *)
    shadow2='unknown algorithm'
esac

if [ "$shadow2" == "unknown algorithm" ]; then
  echo "$(hostname): $shadow2 - $algo" | nc $RECVR $PORT
  exit 2
fi

if [ "$shadow" == "$shadow2" ]; then
  echo "$(hostname): PASS VERIFIED AS SAME" | nc $RECVR $PORT
  exit 1
elif [ "$shadow2" == "no passwd set" ]; then
  echo "$(hostname): NO PASSWORD SET" | nc $RECVR $PORT
  exit 1
else
  echo "$(hostname): pass different" | nc $RECVR $PORT
  exit 0
fi

## update_password.pb.yml
- hosts: all

  tasks:
    - name: upload verification script
      template:
        src: scripts/test_password.sh
        dest: /tmp
        mode: 0755

    - name: run verification script
      shell: /tmp/test_password.sh
      become: yes
      register: verify_result
      changed_when: verify_result.rc == 1
      failed_when: verify_result.rc > 1

    - name: remove verification script
      file:
        path: /tmp/test_password.sh
        state: absent

    - name: upload set pass script
      template:
        src: scripts/set_random_password.sh
        dest: /tmp
        mode: 0755
      when: verify_result.rc == 1

    - name: run set pass script
      shell: /tmp/set_random_password.sh
      when: verify_result.rc == 1
      become: yes

    - name: remove set pass script
      file:
        path: /tmp/set_random_password.sh
        state: absent
      when: verify_result.rc == 1
	#!/bin/bash
	#
	# This script is for generating a random password, setting it for a specified
	# user, and sending that password to a remote listener.

	WHO=$(whoami)

	# target user for password change
	USER="{{user \| default('jdoe')}}"
	RECVR="{{dest_ip \| default('10.0.1.5')}}"
	PORT=8000

	if [ $WHO != "root" ]; then
	echo 'need to be root'
	exit 1
	fi

	PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 \| head -c${1:-16};echo;)

	echo "$USER:$PASS" \| chpasswd

	if [ $? -eq 0 ]; then
	echo "$(hostname): $PASS" \| nc $RECVR $PORT
	else
	echo "$(hostname): FAILED" \| nc $RECVR $PORT
	fi
	#!/bin/bash
	#
	# This script is used to test a known password against a specified user account.

	WHO=$(whoami)

	# user who's password to check
	USER="{{user \| default('jdoe')}}"
	# password to check
	PASSWD="{{passwd \| default('not_so_secret')}}"
	RECVR="{{dest_ip \| default('10.0.1.5')}}"
	PORT=8000

	if [ $WHO != "root" ]; then
	echo 'need to be root'
	exit 2
	fi

	shadow=$(getent shadow $USER \| cut -d':' -f2)
	algo=$(echo $shadow \| cut -d'$' -f2)
	salt=$(echo $shadow \| cut -d'$' -f3)
	encpass=$(echo $shadow \| cut -d'$' -f4)

	pycheck="$(cat <<'EOF'
	import sys
	import os
	import crypt
	import spwd

	shadow2 = crypt.crypt(os.environ['to_check'], spwd.getspnam(os.environ['the_user'])[1])
	print shadow2
	EOF
	)"

	case $algo in
	1)
	shadow2=$(echo "$PASSWD" \| openssl passwd -stdin -1 -salt $salt)
	;;
	[5-6]*)
	export to_check=$PASSWD
	export the_user=$USER
	shadow2=$(python -c "$pycheck")
	;;
	"!!")
	shadow2='no passwd set'
	;;
	*)
	shadow2='unknown algorithm'
	esac

	if [ "$shadow2" == "unknown algorithm" ]; then
	echo "$(hostname): $shadow2 - $algo" \| nc $RECVR $PORT
	exit 2
	fi

	if [ "$shadow" == "$shadow2" ]; then
	echo "$(hostname): PASS VERIFIED AS SAME" \| nc $RECVR $PORT
	exit 1
	elif [ "$shadow2" == "no passwd set" ]; then
	echo "$(hostname): NO PASSWORD SET" \| nc $RECVR $PORT
	exit 1
	else
	echo "$(hostname): pass different" \| nc $RECVR $PORT
	exit 0
	fi
	- hosts: all

	tasks:
	- name: upload verification script
	template:
	src: scripts/test_password.sh
	dest: /tmp
	mode: 0755

	- name: run verification script
	shell: /tmp/test_password.sh
	become: yes
	register: verify_result
	changed_when: verify_result.rc == 1
	failed_when: verify_result.rc > 1

	- name: remove verification script
	file:
	path: /tmp/test_password.sh
	state: absent

	- name: upload set pass script
	template:
	src: scripts/set_random_password.sh
	dest: /tmp
	mode: 0755
	when: verify_result.rc == 1

	- name: run set pass script
	shell: /tmp/set_random_password.sh
	when: verify_result.rc == 1
	become: yes

	- name: remove set pass script
	file:
	path: /tmp/set_random_password.sh
	state: absent
	when: verify_result.rc == 1