Re: Pls help: best way to assign and maintain root password of 100 machines

From: Michael Vilain (vilain_at_spamcop.net)
Date: 09/13/04

• Next message: Doug Freyburger: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Previous message: ST Wong: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• In reply to: ST Wong: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Next in thread: Doug Freyburger: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Mon, 13 Sep 2004 01:10:18 -0700

In article <28073c51.0409121714.6486b85a@posting.google.com>,
 st-wong@alumni.cuhk.net (ST Wong) wrote:

> st-wong@alumni.cuhk.net (ST Wong) wrote in message
> news:<28073c51.0409081757.5298a045@posting.google.com>...
> > Hi, all,
> >
> > We're maintaining ~100 Uni*x and Windows machines. However, I've no
> > idea of how to assign the passwords so that our team members can
> > memorize the passwords without writing them down or having to use
> > similar passwords for all the machines. Meanwhile, I want to change
> > the root passwords regularly, after any hacking incidence, or after
> > departure of any of our team members. This makes the problem worse.
> >
> > I'd like to know if there is any mechanism/tool for this purpose.
> > Would anyone pls help? Sorry for the newbie question.
>
> Thanks for all your assistance. We're using sudo for non-sysadm
> colleagues who have to perform some privileged tasks. However, our
> problem is a bit complicated, due to the fact that all these machines
> are servers sitting in our machine room, providing different functions
> with different security requirements. Furthermore, they reside in
> different firewall zones. Thus synchronizing the root passwords on
> all of them will be risky. Thus our problem becomes 2 folded:
> - painful to change root passwords 100+ machines regularly
> - difficult to remember the newly changed 100+ passwords
>
> Sorry for not making the question clear.
>
> Thanks again.
> Best Regards,
> /ST Wong

You've essentially painted yourself into a corner. There's no easy way
to network synchronize these systems as they're all different. In my
last contract, they had 20 Enterprise servers which were all discrete.
They managed to group the servers in to various access groups. When
passwords where changed (ever 60 days), we go a sealed envelop that had
the root password for the systems. We were told not to put that list
anywhere obvious and we were responsible for it's security. Since root
was only allowed on the consoles (no ftp, telnet, or ssh root access),
you had to go into the computer room behind a card key access door,
sign-in with operations, and use a console. Only IT staff was allowed
in the computer room.

They eventually got a product called PowerBroker by Sysmark that is like
a networked 'sudo' with a centralized access list. That restricted the
only time needed to use root on the console was when there's an outage
and you need to login to single-user mode. Boot CD's are under lock and
key, so booting off them to gain access is restricted. A manager had to
provide the root password when there was an outage, making two people
who had to be awakened at 4am on Sunday when there's a disk outage.

There's no easy way around changing passwords on 100 systems. You've
outlined circumstances that limit you to this option only. I feel your
pain. Unless you revisit implementing some sort of authentication
service on all the systems and tie them together, you're out of luck.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

---

• Next message: Doug Freyburger: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Previous message: ST Wong: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• In reply to: ST Wong: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Next in thread: Doug Freyburger: "Re: Pls help: best way to assign and maintain root password of 100 machines"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: sudo and /etc/sudoers ... can keep pertinent information in a notebook kept in a secure location. ... lets write down the root passwords LOL *shakes head in amazement* ... Disaster recovery plans anticipate this sort of situation. ... (Ubuntu) Re: bug in logins(1M) ? ... (I have to toggle between two root passwords on systems that ... enforce minimum # of chars changed between passwords. ... It seems the most secure approach would be to require a secureID ... or similar for all system logins, not just VPN ... (comp.unix.solaris) Re: Pls help: best way to assign and maintain root password of 100 machines ... > memorize the passwords without writing them down or having to use ... > similar passwords for all the machines. ... > the root passwords regularly, after any hacking incidence, or after ... > departure of any of our team members. ... (comp.unix.admin) Re: Simple question about data transfer ... handing out passwords, just use scp. ... And for pete's sake don't use root passwords. ... handing out passwords, use a normal user account on both ends. ... (comp.os.linux.misc) Re: Pls help: best way to assign and maintain root password of 100 machines ... > memorize the passwords without writing them down or having to use ... > similar passwords for all the machines. ... > departure of any of our team members. ... to some sort of single-use software where anyone who needs a root ... (comp.unix.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.unix.admin  > 2004-09