Skip to content

Ships password rotation

wordpress meta

title: 'SHIPS Password Rotation'
date: '2019-08-12T11:21:28-05:00'
status: publish
permalink: /ships-password-rotation
author: admin
excerpt: ''
type: post
id: 1399
category:
    - SHIPS
tag: []
post_format: []

As explained on the website "unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts".

I tested as a proof of concept how to:

  • setup a SHIPS server on CentOS7
  • configure SHIPS folder and ACL's for devices
  • linux client execute SetAdminPass.sh for password rotation

Note that I simplified this test so the following was true:

  • no LDAP enabled for user logins into web interface (no identLDAP.rb)
  • devices not tested as belonging to LDAP OU (only using lib devicevalidatorany.rb)
  • Used ansible as much as possible to prepare the SHIPS server
  • Self signed certificate means client SetAdminPassword need --insecure with curl to even work.
  • Did not try and autostart SHIPS code on server reboot

So suffice to say you were warned this is not secure and correct way to run SHIPS it is a way to test the basics!

Final run after Ansible ironed out like this:

Download and unzip my file containing ansible playbook ships.yml plus the conf, ships.cert and ships.key files in /usr/src/ships-playbook. Update the conf file with correct IP address.

``` # yum install ansible -y # cd /usr/src/ships-playbook/ root@ships ships-playbook]# rm -rf /opt/SHIPS ; ansible-playbook ships.yml # cd /opt/SHIPS [root@ships SHIPS]# ruby -r ./lib/identsqlite -r ./lib/identdevice -r ./lib/devicevalidatorany SHIPS.rb
</div>- *from above ansible output capture password for SHIPS administrator user named root. Visit https://ip.addr.ess and login with root user and above password.*
- for folder and ACL configuration watch the section in the video located here https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
- I made some changes on the client SetAdminPass.sh script as shown below.

<div class="wp-block-syntaxhighlighter-code ">```

URL='https://192.168.1.98/password'
#URL_OPTS=""

#RESPONSE=$( curl $CURL_OPTS -s "$URL?$URL_OPTSname=$HOST&nonce=$NONCE" )
RESPONSE=$( curl $CURL_OPTS -s "$URL?name=$HOST&nonce=$NONCE" )

#CURL_OPTS=''
CURL_OPTS='--insecure ' #DON'T DO THIS!

HISTORY='/var/run/SHIPS.HIST'

LINKS:

  • https://github.com/trustedsec/SHIPS/
  • https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
  • https://github.com/trustedsec/SHIPS/blob/master/doc/SHIPS_Installation_v2.pdf