In our administration team everyone has root passwords for all client servers. But what should we do if one of the team members is not longer working with us? He still has our passwords and we have to change them all, every time someone leave us.
Now we are using ssh keys instead of passwords, but this is not helpful if we have to use something other than ssh.
At the command prompt, type 'passwd' and hit 'Enter. ' You should then see the message: 'Changing password for user root. ' Enter the new password when prompted and re-enter it at the prompt 'Retype new password.
The file is owned by the root and can only be modified by root or users with sudo privileges, although it is readable by all system users. Each user's password is stored in an encrypted form within the /etc/passwd file. These credentials are hashed using a one-way hash function so they cannot be decrypted.
The systems I run have a sudo-only policy. i.e., the root password is *
(disabled), and people have to use sudo to get root access. You can then edit your sudoers
file to grant/revoke people's access. It's very granular, and has lots of configurability---but has sensible defaults, so it won't take you long to set up.
I would normally suggest the following:
Now then, with this setting, all users must use sudo for remote admin, but when the system is seriously messed up, there is no hunting for the root password to unlock the console.
EDIT: other system administration tools that provide their own logins will also need adjusting.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With