LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 07-27-2006, 10:16 AM   #1
user_lnx
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Rep: Reputation: 0
Question Changing root password on multiple servers


Hello all,

I recently posted this in what seems to be an incorrect forum on accident. I apologize for the double post.

I am new to the forums so if this post is i the wrong location I apologize. Similarly, if this has been discussed before, please let me know.

Here it goes...

I am working in an environment containing multiple RHEL platforms all of which are in "WORKGROUPS" for lack of a better term. In other words, directory services and LDAP have not been implemented (yet) and will not be for quite some time. Quite simply LDAP or NIS is not an option.

With the always growing environment, we are getting to a point where user management alone is becoming a nuissance mostly due to the fact that security measures have been implemented which require users to change their passwords every 45 days. This even includes system accounts including root.

While the root password never expires, it still has to be changed every 45 days and across hundreds of servers, which can get tedious. I am needing some kind of way to:

1. Generate multiple passwords for each server following the necessary standards (8 char, no repeating chars, etc.)
2. Use the generated passwords and put them out on each server
3. Somehow document those passwords (in the most secure way possible) so that they may be placed on an encrypted web page used as a repository.

If anyone has any experience in dealing with this, please let me know. One thing to consider, I have a service account with RSA keys swapped on all servers in the environment with sudo implemented. It has come in handy in the past for automation across all the boxes in the past. For example, I can remotely execute commands, without having to supply a password on all the servers.

In advance, I appreciate the help.
 
Old 07-27-2006, 10:48 AM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
Even though you acknowledge the dual post, the rules state that you should inform a Mod, not make the 2nd post in another forum. Please read the rules, its a pet peave of mine.


That said,
Assuming SSH is installed on all the servers, you can script commands tunnel'd through SSH to a host. If you have a list of hostnames in a file, you can do a FOR loop which would included each name in the file. The loop would consist of SSH'ing to the $HOSTNAME, changing via passwd, and exitting. You could have the new password be the first variable specified on the command line for a more dynamic script. This is all assuming that root can SSH into a box, if root can't then the script will have to become more elaborate.
 
Old 07-27-2006, 10:50 AM   #3
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,456
Blog Entries: 1

Rep: Reputation: 66
The best for your environment is what is know as Single Sign On.

With SSO you have a central database wich stores all user information , user credentials and user access policy. SSo not only stores user password to login in the system, but it can authenticate the user in several others applications, like mailservers, enterprise databases, legacy applications, gateways, etc.

It can be implemented by yourself using ldap, kerberos and other programs, with a huge effort, or you can buy a solution from many companies (evidian).

This is a complex issue and it has a complex solution. My advice is to get a proposal from one of theses companies.

As an opensource alternative, Fedora has a Directory server which can be just what you are looking for. Take a look: http://directory.fedora.redhat.com.

good luck.
 
Old 07-27-2006, 01:16 PM   #4
user_lnx
LQ Newbie
 
Registered: Jul 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Again, I apologize for the double post.

I appreciate the input. It seems that the best thing is ldap; however, we do not have the resources to implement that unfortunately.

The script idea would work; however, the passwords need to be different across all boxes and they need to be documented and placed into an encrypted repository. I guess that is really the problem: randomly generating the password, trapping the password for each server and then updating it on an encrypted web page (which is essentially an MSSQL box with a web front-end). It would be nice if this could all be automated.

Does anyone know of any utilities that would help accomplish this? Or, does anyone have any experience with this i.e. have similar issues?

Thanks again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing root passwords on multiple servers user_lnx Red Hat 1 07-27-2006 11:01 AM
Password Changes on Multiple Servers? Teejeaux Linux - Enterprise 5 04-20-2006 11:11 AM
changing root password minm Linux - Newbie 9 08-31-2004 03:03 AM
Changing the root password divsky Linux - Newbie 4 04-03-2004 10:02 PM
changing root password jamaso Linux - Newbie 1 12-25-2001 10:38 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 03:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration