I’m lazy and I have bad admin habits, like logging into a LINUX server, directly, as root. Worse than that, I like to set the passwords all the same on the systems. But, this is just my Raspberry sandbox network so nobody cares. I wouldn’t dream of such a scheme in production.
But now that I’ve got saltstack running, I can do a little manipulation of two files: /etc/ssh/sshd_config and /etc/shadow. I do this with two separate .sls files in my /srv/salt library.
Allow root direct login
The first one is a simple string search and replace:
{% set file = '/etc/ssh/sshd_config' %}
{{ file }}:
file.line:
- content: "PermitRootLogin yes"
- match: "PermitRootLogin *"
- mode: "replace"
ssh:
service.running:
- reload: True
- watch:
- file: {{ file }}
The very first line is a little bit of jinja magic. I set a variable to the name of the file that I am working on. For the rest of the sls, I can refer to {{ file }} without worrying about typos. Essentially what I’m doing in the first paragraph is looking in the file “/etc/ssh/sshd_config” for the string that is called “match” and replacing it with the line called “content”. If we do happen to make a change, the second paragraph restarts the service “sshd”.
Change root’s password with salt
Then, to complete the process, I like to set root’s password through another .sls file that I call rootpw.sls.
root:
user.present:
- password: s3cr3tp4assw0rd
- hash_password: True
This sls is more simple. Search for the user “root”, and no matter his current password, hash the string “s3cr3tp4assw0rd” and save THAT as his password.
root@salt:~# salt 'ubu*' state.apply login Summary for ubu1 Succeeded: 2 Failed: 0 Total states run: 2 Total run time: 130.823 ms ubu2:ID: /etc/ssh/sshd_config Function: file.line Result: True Comment: Changes were made Started: 13:40:09.601542 Duration: 41.588 ms Changes: ---------- diff: --- +++ @@ -31,7 +31,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6#MaxSessions 10ID: ssh Function: service.running Result: True Comment: Service reloaded Started: 13:40:09.808368 Duration: 129.785 ms Changes: ---------- ssh: TrueSummary for ubu2 Succeeded: 2 (changed=2) Failed: 0 Total states run: 2 Total run time: 171.373 ms root@salt:~#
So, far, these .sls files seems to work on both Raspberry OS and Ubuntu because the file names and formats are the same. I’m sure I will find an .sls that I wrote for Raspbian but breaks when I aim it at Ubuntu.
Stay tuned.
