Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how do you manage servers' root passwords

In our administration team everyone has root passwords for all client servers. But what should we do if one of the team members is not longer working with us? He still has our passwords and we have to change them all, every time someone leave us.

Now we are using ssh keys instead of passwords, but this is not helpful if we have to use something other than ssh.

like image 231
bmwael Avatar asked Oct 16 '08 10:10

bmwael


People also ask

How do I manage root password?

At the command prompt, type 'passwd' and hit 'Enter. ' You should then see the message: 'Changing password for user root. ' Enter the new password when prompted and re-enter it at the prompt 'Retype new password.

Where is the root password stored?

The file is owned by the root and can only be modified by root or users with sudo privileges, although it is readable by all system users. Each user's password is stored in an encrypted form within the /etc/passwd file. These credentials are hashed using a one-way hash function so they cannot be decrypted.


2 Answers

The systems I run have a sudo-only policy. i.e., the root password is * (disabled), and people have to use sudo to get root access. You can then edit your sudoers file to grant/revoke people's access. It's very granular, and has lots of configurability---but has sensible defaults, so it won't take you long to set up.

like image 135
Chris Jester-Young Avatar answered Oct 14 '22 02:10

Chris Jester-Young


I would normally suggest the following:

  1. Use a blank root password.
  2. Disable telnet
  3. Set ssh for no-root-login (or root login by public key only)
  4. Disable su to root by adding this to the top of /etc/suauth: 'root:ALL:DENY'
  5. Enable secure tty for root login on console only (tty1-tty8)
  6. Use sudo for normal root access

Now then, with this setting, all users must use sudo for remote admin, but when the system is seriously messed up, there is no hunting for the root password to unlock the console.

EDIT: other system administration tools that provide their own logins will also need adjusting.

like image 31
Joshua Avatar answered Oct 14 '22 03:10

Joshua