Skip to content
/ painless-password-rotation Public
forked from scarolan/painless-password-rotation

Easy and secure password rotation for Linux and Windows system accounts

0 stars 56 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PX44b9RX9050/painless-password-rotation

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

docs

docs

 
 

files

files

 
 

policies

policies

 
 

README.md

README.md

 
 

Repository files navigation

Painless Password Rotation with HashiCorp Vault

This guide demonstrates an automated password rotation workflow using HashiCorp Vault and a simple Bash or Powershell script. These scripts could be run in a cron job or scheduled task to dynamically update local system passwords on a regular basis.

NOTE: This is not the be-all and end-all of password rotation. It is also not a PAM tool. It can do the following:

  • Rotate local system passwords on a regular basis
  • Allow systems to rotate their own passwords
  • Store login credentials securely in Vault
  • Ensure that passwords meet complexity requirements
  • Require users to check credentials out of Vault

Prerequisites

  • HashiCorp Vault cluster that is reachable from your server instances. (Inbound TCP port 8200 to Vault)
  • Seth Vargo's most excellent vault-secrets-gen plugin
  • Vault command line configured for your Vault cluster. (Hint: You need to set VAULT_ADDR and VAULT_TOKEN environment variables.)
  • A version 2 K/V secrets backend mounted at systemcreds
  • jq installed on the linux servers

Step 1: Configure Your Policies

The following policies allow 'create' and 'update' rights. This essentially creates a one way door, whereby systems can update their passwords but not read them from Vault.

vault policy write rotate-linux policies/rotate-linux.hcl
vault policy write rotate-windows policies/rotate-windows.hcl

Step 2: Generate a token for each server

vault token create -period 24h -policy rotate-linux -orphan
vault token create -period 24h -policy rotate-windows -orphan

Step 3: Put the token onto each instance

Append the following lines to /etc/environment. The VAULT_NAMESPACE is optional if you have one.

export VAULT_ADDR=https://your_vault.server.com:8200
export VAULT_TOKEN=4ebeb7f9-d691-c53f-d8d0-3c3d500ddda8
export VAULT_NAMESPACE=xxxxx

Windows users should set these as system environment variables.

Step 4: Run the script

./rotate-linux-password.sh -u root -t passphrase
REQUIRED OPTIONS:
-u USERNAME = User to change the password for
-t TYPE = Type of secret to create, this takes either password or passphrase
PASSWORD OPTIONS:
-l PW_LENGTH = Length (int)
-d PW_DIGITS = Amount of digits (int)
-s PW_SYMBOLS = Amount of symbols (int)
-c PW_ALLOW_UPPERCASE = Allow uppercase characters (bool)
-r PW_ALLOW_REPEAT = Allow repetition inside the password (bool)
PASSPHRASE OPTIONS:
-w PH_WORDS = Amount of words (int)
-p PH_SEPARATOR = Separator for the words (string)

.\rotate-windows-password.sh Administrator

Step 5: Log onto the Vault UI and verify that the password was saved successfully

About

Easy and secure password rotation for Linux and Windows system accounts

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 48.6%
  • PowerShell 44.7%
  • HCL 6.7%