I am the administrator for a large network of HP/UX servers, about 100, this will be growing to over 200 in the next 18 months, part of my duties are to change the root passwords on these machines once month... which is a pain. I have written a script that will generate random passwords for me and print them out so that I do not have to think of and write down the passwords for safe keeping.
Yep, you guessed the next question... how can I pass the passwords to a script which will change them automatically on each machine?
I have done quite a bit of looking into this and found one answer is to use the GNU expect binary, but I am having difficulties getting the binary working on our servers, should I not get it working does any one have any ideas?
Please note that company policy does not allow me to use remote shells, psuedo root users and none expiring accounts.
If the company wants all the security -then show them that the only way to do what they want is with a 3rd party security package.
OR
You could use a NIS root account - this is how -
You have your normal root account which has it's info in /etc/passwd (and shadow). If the server looks at NIS before files, then you could have an NIS root account - one password for all servers (yes, drawbacks to that too!). If NIS was unavailable, you would have to know what the server's local root password is to log in or su to root.
To change passwords on all servers requires setting up some type of allowed access - there is a 'free' product called cfengine which worked well (although our site lost 46 servers in one minute due to a bug {which was fixed but we never used it again}). Another way is if you have programming knowledge is to write your own.
My own opinion is with the 3rd party software. I've seen it work and it makes it easy to use (this was on a mix of Solaris and HP servers). I think RSA Security makes/sells it.