Hello all,

I recently posted this in what seems to be an incorrect forum on accident. I apologize for the double post.

I am new to the forums so if this post is i the wrong location I apologize. Similarly, if this has been discussed before, please let me know.

Here it goes...

I am working in an environment containing multiple RHEL platforms all of which are in "WORKGROUPS" for lack of a better term. In other words, directory services and LDAP have not been implemented (yet) and will not be for quite some time. Quite simply LDAP or NIS is not an option.

With the always growing environment, we are getting to a point where user management alone is becoming a nuissance mostly due to the fact that security measures have been implemented which require users to change their passwords every 45 days. This even includes system accounts including root.

While the root password never expires, it still has to be changed every 45 days and across hundreds of servers, which can get tedious. I am needing some kind of way to:

1. Generate multiple passwords for each server following the necessary standards (8 char, no repeating chars, etc.)
2. Use the generated passwords and put them out on each server
3. Somehow document those passwords (in the most secure way possible) so that they may be placed on an encrypted web page used as a repository.

If anyone has any experience in dealing with this, please let me know. One thing to consider, I have a service account with RSA keys swapped on all servers in the environment with sudo implemented. It has come in handy in the past for automation across all the boxes in the past. For example, I can remotely execute commands, without having to supply a password on all the servers.

In advance, I appreciate the help.

Even though you acknowledge the dual post, the rules state that you should inform a Mod, not make the 2nd post in another forum. Please read the rules, its a pet peave of mine.


That said,
Assuming SSH is installed on all the servers, you can script commands tunnel'd through SSH to a host. If you have a list of hostnames in a file, you can do a FOR loop which would included each name in the file. The loop would consist of SSH'ing to the $HOSTNAME, changing via passwd, and exitting. You could have the new password be the first variable specified on the command line for a more dynamic script. This is all assuming that root can SSH into a box, if root can't then the script will have to become more elaborate.

The best for your environment is what is know as Single Sign On.

With SSO you have a central database wich stores all user information , user credentials and user access policy. SSo not only stores user password to login in the system, but it can authenticate the user in several others applications, like mailservers, enterprise databases, legacy applications, gateways, etc.

It can be implemented by yourself using ldap, kerberos and other programs, with a huge effort, or you can buy a solution from many companies (evidian).

This is a complex issue and it has a complex solution. My advice is to get a proposal from one of theses companies.

As an opensource alternative, Fedora has a Directory server which can be just what you are looking for. Take a look: http://directory.fedora.redhat.com.

good luck.

Again, I apologize for the double post.

I appreciate the input. It seems that the best thing is ldap; however, we do not have the resources to implement that unfortunately.

The script idea would work; however, the passwords need to be different across all boxes and they need to be documented and placed into an encrypted repository. I guess that is really the problem: randomly generating the password, trapping the password for each server and then updating it on an encrypted web page (which is essentially an MSSQL box with a web front-end). It would be nice if this could all be automated.

Does anyone know of any utilities that would help accomplish this? Or, does anyone have any experience with this i.e. have similar issues?

Thanks again!