Ships password rotation
wordpress meta
title: 'SHIPS Password Rotation'
date: '2019-08-12T11:21:28-05:00'
status: publish
permalink: /ships-password-rotation
author: admin
excerpt: ''
type: post
id: 1399
category:
- SHIPS
tag: []
post_format: []
title: 'SHIPS Password Rotation'
date: '2019-08-12T11:21:28-05:00'
status: publish
permalink: /ships-password-rotation
author: admin
excerpt: ''
type: post
id: 1399
category:
- SHIPS
tag: []
post_format: []
As explained on the website "unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts".
I tested as a proof of concept how to:
- setup a SHIPS server on CentOS7
- configure SHIPS folder and ACL's for devices
- linux client execute SetAdminPass.sh for password rotation
Note that I simplified this test so the following was true:
- no LDAP enabled for user logins into web interface (no identLDAP.rb)
- devices not tested as belonging to LDAP OU (only using lib devicevalidatorany.rb)
- Used ansible as much as possible to prepare the SHIPS server
- Self signed certificate means client SetAdminPassword need --insecure with curl to even work.
- Did not try and autostart SHIPS code on server reboot
So suffice to say you were warned this is not secure and correct way to run SHIPS it is a way to test the basics!
Final run after Ansible ironed out like this:
Download and unzip my file containing ansible playbook ships.yml plus the conf, ships.cert and ships.key files in /usr/src/ships-playbook. Update the conf file with correct IP address.
```
# yum install ansible -y
# cd /usr/src/ships-playbook/
root@ships ships-playbook]# rm -rf /opt/SHIPS ; ansible-playbook ships.yml
# cd /opt/SHIPS
[root@ships SHIPS]# ruby -r ./lib/identsqlite -r ./lib/identdevice -r ./lib/devicevalidatorany SHIPS.rb
</div>- *from above ansible output capture password for SHIPS administrator user named root. Visit https://ip.addr.ess and login with root user and above password.*
- for folder and ACL configuration watch the section in the video located here https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
- I made some changes on the client SetAdminPass.sh script as shown below.
<div class="wp-block-syntaxhighlighter-code ">```
URL='https://192.168.1.98/password'
#URL_OPTS=""
#RESPONSE=$( curl $CURL_OPTS -s "$URL?$URL_OPTSname=$HOST&nonce=$NONCE" )
RESPONSE=$( curl $CURL_OPTS -s "$URL?name=$HOST&nonce=$NONCE" )
#CURL_OPTS=''
CURL_OPTS='--insecure ' #DON'T DO THIS!
HISTORY='/var/run/SHIPS.HIST'
LINKS:
- https://github.com/trustedsec/SHIPS/
- https://www.trustedsec.com/2016/03/ships-version-2-released-major-release/
- https://github.com/trustedsec/SHIPS/blob/master/doc/SHIPS_Installation_v2.pdf