topic Re: Managing RootPasswords in Operating System - HP-UX

Managing RootPasswords

Roger Baptiste — Wed, 28 Jul 2004 13:13:15 GMT

Hello ,

What are the options/tools available for managing root password changes on multiple servers (around 200+ servers , a mix of trusted HPservers and Sunservers) on a regular basis(thrice a year)? The password should be preferably randomly generated by the tool/script and not be the same for all the servers.

Doing the change manually by logging on to each server is ruled out. Inefficient and tedious.

Writing a script using remote services (remsh,rexec..) is not an option, since opening up access through .rhosts on all the servers is not allowed.

What are the other options? How is this managed in large sites?

regards
-RB

Re: Managing RootPasswords

RAC_1 — Wed, 28 Jul 2004 13:30:14 GMT

With restrictions you have,

NIS is the way to go. Trusted systems and NIS is not compatible, so you will have to go with NIS+.

Also with ldap.

Not worked on things like this, but these are the options I seem to fit your requirement.

Anil

Re: Managing RootPasswords

Geoff Wild — Wed, 28 Jul 2004 14:06:41 GMT

Or install a third party security tool like UnixControl:

http://www.tfstech.com/index.htm

Rgds...Geoff

Re: Managing RootPasswords

A. Clay Stephenson — Wed, 28 Jul 2004 14:07:54 GMT

NIS+, NIS, or LDAP should not be used for the root password because you specifically need a means of logging in as root when those services are not available. In fact, you are instructed to always use local authenication for root. You also do not want multiple users with UID 0 as a possible workaround. If this were me, I would much prefer a single strong password for all the servers rather than different passwords -- unless the boxes are administered by different people. Multiple passwords instantly require a list and that is an instant security hole. NIS+ or LDAP is fine for all the regular users and would certainly be my method for 200+ boxes.

There are a number of methods for batch updating root passwords. Probably the most straightforward would be to leverage expect supplied with a list of servers.

Re: Managing RootPasswords

Roger Baptiste — Thu, 29 Jul 2004 17:05:10 GMT

Thanks for the responses so far. Can the other experts around throw in their suggestions and the way they are doing this in a large site?
NIS+ is a no-no, for the reasons already mentioned.

The criteria is, it should run from a single server and not use remote services. No NIS/NIS+/LDAP either, for reasons already mentioned in the responses.

Clay, Can you please elaborate on the batch methods you mentioned. Also, an randomly generated password is preferred , rather than manual creativeones.

thanks

Re: Managing RootPasswords

Sundar_7 — Thu, 29 Jul 2004 18:00:09 GMT

RB,

Any large site who are concerned about security will not go for NIS :-). and NIS+ is too cumbersome to maintain even on smaller sites.

Really visionary shops, spend $$$ and get a centralized user management softwares like KEON BOKS from RSA. BOKS is a wonderful security software with all kind of auditing and customization possible.It also does some encryption. So you dont have to worry about sniffers.

Some sites use remote services to distribute the account information and some use LDAP.

I am sure there are sites that use ADS or NTLM authentication for the unix users. This case the unix users dont have to remember two seperate passwords. they can use the same password as they do for logging in to the corporate domain network.

Given all these restrictions, how about if I suggest you a not-so-elegant way of doing this ? :-)

1) TO generate the password random ,you can use /usr/lbin/modprpw with -x option

/usr/lbin/modprpw -x username

2) modprpw expires the user account so, he/she will have to change the password upon next successful login. you can avoid this by using -v option of modprpw

/usr/lbin/modprpw -v username

3) Create a script that prepares the list of files that are updated in the /tcb directory and also the information from /etc/passwd and /etc/group

The script should ftp these files to all the other system. automate the FTP transfer by manually coding the password in the script or using .netrc.

4) In the clients create a script that runs of the cron and process the files that are FTPed from the server.

I know this is not going to look elegant and is not easy to implement as it sounds.

But this is all I could come up with :-)

-- Sundar.

Re: Managing RootPasswords

Kenneth_19 — Thu, 29 Jul 2004 21:45:03 GMT

RB,

The attached C program may help you to generate random strong passwords and their encrypted strings.

# encrypt
OKFBrfm:WkBJX5PPU8LzY

The output can be divided into two portions with the delimiter ":", the first portion is the random generated password, and the second part is the encrypted string of the password, you can simply replace the second portion with the password of a particular user in the /etc/passwd (or /etc/shadow for Solaris users), the password is changed silently.

In case you got a "/" in the encryted value, please discard it, as I found that it will cause problem:

# encrypt
m6kw6NR:lGG/UBe.vDACQ <- DISCARD!!!

If you want it to encrypt a password you specify, say "1234567" you can:

# encrypt
1234567:webdcfoCllqDQ

If you have tried that out in small scale and have confidence with it, you can write your own .script to change the password regularly