|
Home > Archive > Unix administration > September 2004 > Pls help: best way to assign and maintain root password of 100 machines
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Pls help: best way to assign and maintain root password of 100 machines
|
|
| ST Wong 2004-09-08, 8:48 pm |
| Hi, all,
We're maintaining ~100 Uni*x and Windows machines. However, I've no
idea of how to assign the passwords so that our team members can
memorize the passwords without writing them down or having to use
similar passwords for all the machines. Meanwhile, I want to change
the root passwords regularly, after any hacking incidence, or after
departure of any of our team members. This makes the problem worse.
I'd like to know if there is any mechanism/tool for this purpose.
Would anyone pls help? Sorry for the newbie question.
Thanks a lot.
Best Regards,
/ST Wong
| |
| Michael Vilain 2004-09-09, 2:48 am |
| In article <28073c51.0409081757.5298a045@posting.google.com>,
st-wong@alumni.cuhk.net (ST Wong) wrote:
> Hi, all,
>
> We're maintaining ~100 Uni*x and Windows machines. However, I've no
> idea of how to assign the passwords so that our team members can
> memorize the passwords without writing them down or having to use
> similar passwords for all the machines. Meanwhile, I want to change
> the root passwords regularly, after any hacking incidence, or after
> departure of any of our team members. This makes the problem worse.
>
> I'd like to know if there is any mechanism/tool for this purpose.
> Would anyone pls help? Sorry for the newbie question.
>
> Thanks a lot.
> Best Regards,
> /ST Wong
If you're using separate files for each of these 100 systems without any
sort of authentication service and they're all different, you out of
your ever fscking mind. That's what an authentication service is for
like NIS or LDAP.
I can imagine using a standard local passwd and shadow file with
standard UNIX accounts like root and /etc/sudoers on the systems to
allow sysadmin staff to use root. root access should only be allowed on
the console and not remotely. telnet replaced by ssh.
You could setup a standard crontab to pull a standard passwd + shadow
from a central location periodically. Or from a central server, use
rsynch or rdist to 'push' the files to the remote systems. With that
many systems, you need some centralized way of doing this.
You'll have to come of with something on your own for the windows boxen.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Kevin Counts 2004-09-11, 8:47 pm |
| st-wong@alumni.cuhk.net (ST Wong) wrote in message news:<28073c51.0409081757.5298a045@posting.google.com>...
> We're maintaining ~100 Uni*x and Windows machines. However, I've no
> idea of how to assign the passwords so that our team members can
> memorize the passwords without writing them down or having to use
> similar passwords for all the machines. Meanwhile, I want to change
> the root passwords regularly, after any hacking incidence, or after
> departure of any of our team members. This makes the problem worse.
>
> I'd like to know if there is any mechanism/tool for this purpose.
> Would anyone pls help? Sorry for the newbie question.
You might want to check out http://www.courtesan.com/sudo/ for
addressing at least some of your requirements.
Regards,
Kevin Counts
| |
| William Park 2004-09-11, 8:47 pm |
| ST Wong <st-wong@alumni.cuhk.net> wrote:
> Hi, all,
>
> We're maintaining ~100 Uni*x and Windows machines. However, I've no
> idea of how to assign the passwords so that our team members can
> memorize the passwords without writing them down or having to use
> similar passwords for all the machines. Meanwhile, I want to change
> the root passwords regularly, after any hacking incidence, or after
> departure of any of our team members. This makes the problem worse.
>
> I'd like to know if there is any mechanism/tool for this purpose.
> Would anyone pls help? Sorry for the newbie question.
For Unix, keep a master copy on one machine, and copy it to the rest.
Since uid/username are the same on all those machines (they are,
right?), it should be simple. For the method of distribution, email,
ssh, faucet/hose, netcat (nc), etc.
But, I prefer floppy and manually going around to each machine. This
gives me chance to talk to the users, and answer their questions. This
method also works for Windows and Mac. So, it's platform and OS
independent, and works when network is down.
--
William Park <opengeometry@yahoo.ca>
Open Geometry Consulting, Toronto, Canada
| |
| ST Wong 2004-09-12, 8:47 pm |
| st-wong@alumni.cuhk.net (ST Wong) wrote in message news:<28073c51.0409081757.5298a045@posting.google.com>...
> Hi, all,
>
> We're maintaining ~100 Uni*x and Windows machines. However, I've no
> idea of how to assign the passwords so that our team members can
> memorize the passwords without writing them down or having to use
> similar passwords for all the machines. Meanwhile, I want to change
> the root passwords regularly, after any hacking incidence, or after
> departure of any of our team members. This makes the problem worse.
>
> I'd like to know if there is any mechanism/tool for this purpose.
> Would anyone pls help? Sorry for the newbie question.
Thanks for all your assistance. We're using sudo for non-sysadm
colleagues who have to perform some privileged tasks. However, our
problem is a bit complicated, due to the fact that all these machines
are servers sitting in our machine room, providing different functions
with different security requirements. Furthermore, they reside in
different firewall zones. Thus synchronizing the root passwords on
all of them will be risky. Thus our problem becomes 2 folded:
- painful to change root passwords 100+ machines regularly
- difficult to remember the newly changed 100+ passwords
Sorry for not making the question clear.
Thanks again.
Best Regards,
/ST Wong
| |
| Michael Vilain 2004-09-13, 2:51 am |
| In article <28073c51.0409121714.6486b85a@posting.google.com>,
st-wong@alumni.cuhk.net (ST Wong) wrote:
> st-wong@alumni.cuhk.net (ST Wong) wrote in message
> news:<28073c51.0409081757.5298a045@posting.google.com>...
>
> Thanks for all your assistance. We're using sudo for non-sysadm
> colleagues who have to perform some privileged tasks. However, our
> problem is a bit complicated, due to the fact that all these machines
> are servers sitting in our machine room, providing different functions
> with different security requirements. Furthermore, they reside in
> different firewall zones. Thus synchronizing the root passwords on
> all of them will be risky. Thus our problem becomes 2 folded:
> - painful to change root passwords 100+ machines regularly
> - difficult to remember the newly changed 100+ passwords
>
> Sorry for not making the question clear.
>
> Thanks again.
> Best Regards,
> /ST Wong
You've essentially painted yourself into a corner. There's no easy way
to network synchronize these systems as they're all different. In my
last contract, they had 20 Enterprise servers which were all discrete.
They managed to group the servers in to various access groups. When
passwords where changed (ever 60 days), we go a sealed envelop that had
the root password for the systems. We were told not to put that list
anywhere obvious and we were responsible for it's security. Since root
was only allowed on the consoles (no ftp, telnet, or ssh root access),
you had to go into the computer room behind a card key access door,
sign-in with operations, and use a console. Only IT staff was allowed
in the computer room.
They eventually got a product called PowerBroker by Sysmark that is like
a networked 'sudo' with a centralized access list. That restricted the
only time needed to use root on the console was when there's an outage
and you need to login to single-user mode. Boot CD's are under lock and
key, so booting off them to gain access is restricted. A manager had to
provide the root password when there was an outage, making two people
who had to be awakened at 4am on Sunday when there's a disk outage.
There's no easy way around changing passwords on 100 systems. You've
outlined circumstances that limit you to this option only. I feel your
pain. Unless you revisit implementing some sort of authentication
service on all the systems and tie them together, you're out of luck.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| Doug Freyburger 2004-09-13, 5:56 pm |
| ST Wong wrote:
>
> We're maintaining ~100 Uni*x and Windows machines. However, I've no
> idea of how to assign the passwords so that our team members can
> memorize the passwords without writing them down or having to use
> similar passwords for all the machines. Meanwhile, I want to change
> the root passwords regularly, after any hacking incidence, or after
> departure of any of our team members. This makes the problem worse.
There's no realistic way to remember that many. So you're faced
with using a few and having folks remember those few, or using some
sort of pattern based on something about each machine, or switching
to some sort of single-use software where anyone who needs a root
password checks it out from the program and it's good once.
The software approach has its security advantages but finding such
a program is hard, plus it has to be trusted by every machine, plus
if it ever breaks you're seriously screwed.
| |
| ST Wong 2004-09-13, 8:48 pm |
| dfreybur@yahoo.com (Doug Freyburger) wrote in message news:<7960d3ee.0409130608.580e9dd0@posting.google.com>...
> ST Wong wrote:
>
> There's no realistic way to remember that many. So you're faced
> with using a few and having folks remember those few, or using some
> sort of pattern based on something about each machine, or switching
> to some sort of single-use software where anyone who needs a root
> password checks it out from the program and it's good once.
>
> The software approach has its security advantages but finding such
> a program is hard, plus it has to be trusted by every machine, plus
> if it ever breaks you're seriously screwed.
Thanks a lot. I'll try to use fewer.
Best Regards.
|
|
|
|
|