SaltStack .sls file to allow root to log in directly

I’m lazy and I have bad admin habits, like logging into a LINUX server, directly, as root. Worse than that, I like to set the passwords all the same on the systems. But, this is just my Raspberry sandbox network so nobody cares. I wouldn’t dream of such a scheme in production.

But now that I’ve got saltstack running, I can do a little manipulation of two files: /etc/ssh/sshd_config and /etc/shadow. I do this with two separate .sls files in my /srv/salt library.

Allow root direct login

The first one is a simple string search and replace:

{% set file = '/etc/ssh/sshd_config' %}
{{ file }}:
file.line:
   - content: "PermitRootLogin yes"
   - match: "PermitRootLogin *"
   - mode: "replace"
ssh:
   service.running:
      - reload: True
      - watch:
      - file: {{ file }}

The very first line is a little bit of jinja magic. I set a variable to the name of the file that I am working on. For the rest of the sls, I can refer to {{ file }} without worrying about typos. Essentially what I’m doing in the first paragraph is looking in the file “/etc/ssh/sshd_config” for the string that is called “match” and replacing it with the line called “content”. If we do happen to make a change, the second paragraph restarts the service “sshd”.

Change root’s password with salt

Then, to complete the process, I like to set root’s password through another .sls file that I call rootpw.sls.

root:
   user.present:
      - password: s3cr3tp4assw0rd
      - hash_password: True

This sls is more simple. Search for the user “root”, and no matter his current password, hash the string “s3cr3tp4assw0rd” and save THAT as his password.

root@salt:~# salt 'ubu*' state.apply login
Summary for ubu1
Succeeded: 2
Failed: 0
Total states run: 2
Total run time: 130.823 ms
ubu2:
ID: /etc/ssh/sshd_config Function: file.line Result: True Comment: Changes were made Started: 13:40:09.601542 Duration: 41.588 ms Changes: ---------- diff: --- +++ @@ -31,7 +31,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6
#MaxSessions 10
ID: ssh Function: service.running Result: True Comment: Service reloaded Started: 13:40:09.808368 Duration: 129.785 ms Changes: ---------- ssh: True
Summary for ubu2
Succeeded: 2 (changed=2)
Failed: 0
Total states run: 2
Total run time: 171.373 ms
root@salt:~#

So, far, these .sls files seems to work on both Raspberry OS and Ubuntu because the file names and formats are the same. I’m sure I will find an .sls that I wrote for Raspbian but breaks when I aim it at Ubuntu.

Stay tuned.

Author: John

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.