topic Re: To keep the root password in Operating System - HP-UX

To keep the root password

Son dam bi — Fri, 06 Nov 2009 07:18:30 GMT

In my network , there are many unix / linux server , and we have a few administrators have these server's root password , our administrator will base on user request to change the user's password but however sometimes we have uncarelessly changed root password , then we have to do something ( reboot , single login ... ) to get back the password .

Therefore , I would like to ask what is the best way to prevent the lost of root password in my case , I know if release the .ssh without password to another server , it can prevent the password lost but I concern the security issue .

Can you please advise the way . Thanks

ps. the administrators must have all server's password , this is company policy so I can't assign the root premission to a specific administrator .

Re: To keep the root password

Sunny Jaisinghani — Fri, 06 Nov 2009 07:31:05 GMT

Direct root login is a security concern.
Hence it is advised to use "sudo".

You can ssh to any remote host using your login credentials and then do "sudo su -" to get root login.

Hope this helps

Sunny

Re: To keep the root password

Johnson Punniyalingam — Fri, 06 Nov 2009 16:40:33 GMT

Solution:-

implement Sudo or power broker

Re: To keep the root password

Vishu — Fri, 06 Nov 2009 16:57:17 GMT

I agree.

Use sudo. i will prevent you to login directly with root or to anything with the root password.

i hope you find your answer.

Re: To keep the root password

OldSchool — Fri, 06 Nov 2009 17:12:46 GMT

"have uncarelessly changed root password "....

right..and they probably did it by getting root access and typing

passwd

-instead of-

passwd

you could write a script that takes the place of the normal passwd command and prevents the first form...potentially messy

or you could set up passwordless login via ssh and keys allowing you access to the server to fix root's passwd when its accidentaly been changed. Still allows the root password to be changed accidentally, but gives you a way in to fix it without going into single-user mode.

I don't believe sudo will fix that issue, as the user with access to the passwd command can still use the first form of the command and "accidentally" change root's password.

PowerBroker might allow you to script this, but it would be a relatively expensive proposition. It could, however, allow you to identify the party(ies) that are doing this...

Unfortunately, technology doesn't fix carelessness....it can only mitigate the fallout.

Re: To keep the root password

Tingli — Fri, 06 Nov 2009 19:06:28 GMT

sudo can do the trick since it doesn't need root password to get into root.

Re: To keep the root password

OldSchool — Fri, 06 Nov 2009 19:14:49 GMT

right...I was thinking more along the lines of "stopping it from happening" in the first place.

of course, anything eliminates the need to hand out the "root" password willy-nilly would be a good thing.

Auditors / compliance officers must have a field day with this as it currently set-up