Updating the root password on 4000 + Linux servers....
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would not allow remote login for root, and instead I assign sudo permissions for some normal account, so that they can act as root.
Some password policy can be applied on these normal account, so they are meant to have change their password when needed.
This is actually what I'm going to be doing very soon. Its going to take some time because of the amount of servers I have to work with but in the end it will be worth it. When someone breaks something the audit trail will be much easier to follow. Once this has been implemented and nobody has complained I will then try to actually pull root access from everyone and use only sudo.
This is actually what I'm going to be doing very soon. Its going to take some time because of the amount of servers I have to work with but in the end it will be worth it. When someone breaks something the audit trail will be much easier to follow. Once this has been implemented and nobody has complained I will then try to actually pull root access from everyone and use only sudo.
I just recently completed this task and switched all secondary(e.g. application) admins to sudo. Our team basically told everyone who wish to have the password that their home & cell phone number will be on the call out list should anything happen to the server. That stopped all root password request pretty quickly.
As for root password changes, currently we have a management server that has public key access to all servers using dssh (http://pvid.net/w/index.php/DSSH). Eventually we'll probably phase it out with Red Hat Satellite.
True....I'd not put root under LDAP either. Root under LDAP is a bad idea, and I probably wouldn't have suggested it, if I wasn't so tired yesterday.
I would not recommend this. If you LDAP system is down, then so is your root access. I'd recommend appropriate sudo access with something like rootsh. I'm sure that with a good for-loop and ssh/sudo access you could probably reset some passwords.
I'm 100% aware that this is insecure, I'm trying to fix this. Unfortunately it's not as easy as you might think. I can't just strip the root password from everyone. There are a lot of "higher ups" that won't allow this so I need to take baby steps to get a new process implemented. I have anywhere from 25 to 1000 users so getting the sudoers file fixed is also going to take time. The idea behind turning off direct root login's will allow me to get more info on who needs access to what server. Once this access is pulled I will be getting flooded with emails regarding adding / fixing user accounts. This is great, that means that I will be able to fix our sudoers file. I completely agree with you this is ridiculously insecure but its a legacy process so I have to make small changes verify that nothing breaks then move on. I was the one that complained about it being insecure so of course I get stuck with trying to fix the problem. The unknown root password is my ultimate goal but it's not going to happen over night.
You have the right idea. I agree with your approach. Unless you have the GM and all of senior management behind you, you are going to have to implement a series of small discrete steps over a period of time so that slowly but surely the need, be it real or perceived, for root access is eliminated.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.