Mass Password Rotation

  • 30 October 2018
  • 1 reply

I'm looking at the documents about user management of the 'cumulus' account and all it says is you can change the password with 'passwd' or 'sudo passwd' as you would for any normal unix account. However, when dealing with hundreds of switches, such mechanisms are not entirely secure. I can't manually login to hundreds of devices to control administrative access. The 'cumulus' and 'root' accounts become "passwords of last resort" and have to be protected / changed even if I employ some central authentication (e.g. TACACS+, etc)

So the question: Is there a preferred way to programmically change account passwords on hundreds of devices?


1 reply

Userlevel 3
You could do it with an ssh loop over the switches, and the chpasswd command (which takes account and password on stdin).

The root account is locked down by default (disabled passwd locally, and not enabled via ssh either), so that should be OK on CL.

I suspect ansible has some hooks for this also, but I don't know for sure.