Fudo Secret Manager 2.0 – Linux example

In Fudo 3.11 release the Secret Manager module has been revamped and now it is possible to write universal scripts for virtually every type of Account – even external web-application ones. This article will cover how easy it is to write your own custom Password Changer or Verifier.

Here’s are the prerequisites:

  • Linux server of any kind,
  • A local account with a known password.
  • Fudo version 3.11 release 3.11-55455.

Create Password Changer configuration:

Notes on the configuration above:

  • export LC_ALL=C
    This command forces the system to revert to default locale which in most cases are English. You might check if it is so on your system but 99,999% of the installations adhere to this assumption (except maybe for some country-specific distributions).
  • The Content column contents are treated by Fudo as a regexp expression thus there is a need to escape parenthesis “special” characters, like parenthesis, dots, asterisks and so on. This is how it’s done:
    \( ... \)
  • %%account_secret%%
    This is a user-defined variable which is created as you type – it appears in the variable list the first time it is used in a script; you can assign any configuration option to this variable and here account’s current secret (password) is assigned.
  • You may change the order of the steps (here: steps 1 to 12) just by dragging a particular step vertically – try this! 8^)

How it works?

  • Fudo logins the Account using the current secret stored in the configuration. This means the Account has to be configured with the original password before you run this Password Changer for the first time – otherwise, Changer won’t be able to connect and run 12 steps configured.
  • The current password secret (password) is kept in Fudo’s user database thus it can be revealed in Portal. You can decide which user has this ability by clicking username in Safe configration and choosing “Reveal password”. NOTE: This setting is local to every Safe – if you want for the user to have this ability you have to change user’s Reveal Password setting in every user it belongs to. In 3.11 it is done in Users tab by clicking the “key” icon:

Here is the example configuration for Account that uses this Password Changer:

As you can see, you can verify all the variables Secret Manager uses when running Password Changer and view the Changer steps itself. Note: a policy “27 chars 2 min” was chosen which basically changes password every two minutes and does not use any Verifier.

Pros and cons:

  • PRO: You can use this Changer without access to server’s root user (or user allowed to run sudo).
  • CON: The Account password needs to be known before using this Password Changer.
  • CON: If the user changes Account’s password while connected Fudo will not be able to run this Password Changer anymore since the secret it “knows” is now different to the actual Account password. But hey, this is just an example… (Use Events Log to confirm this Password Changer working correctly.)
  • NOTE: There is no Verifier example but we assume that writing your own is now trivial. You may use the Copy button to duplicate the Changer and turn it into Verifier.