HPE Community
Operating System - HP-UX
1753973 Members
8016 Online
108811 Solutions
New Discussion юеВ

To keep the root password

 
Son dam bi
Advisor

тАО11-05-2009 11:18 PM

тАО11-05-2009 11:18 PM

To keep the root password

In my network , there are many unix / linux server , and we have a few administrators have these server's root password , our administrator will base on user request to change the user's password but however sometimes we have uncarelessly changed root password , then we have to do something ( reboot , single login ... ) to get back the password .

Therefore , I would like to ask what is the best way to prevent the lost of root password in my case , I know if release the .ssh without password to another server , it can prevent the password lost but I concern the security issue .

Can you please advise the way . Thanks

ps. the administrators must have all server's password , this is company policy so I can't assign the root premission to a specific administrator .
0 Kudos
Reply
6 REPLIES 6
Sunny Jaisinghani
Trusted Contributor

тАО11-05-2009 11:31 PM

тАО11-05-2009 11:31 PM

Re: To keep the root password

Direct root login is a security concern.
Hence it is advised to use "sudo".

You can ssh to any remote host using your login credentials and then do "sudo su -" to get root login.

Hope this helps

Sunny
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

тАО11-06-2009 08:40 AM

тАО11-06-2009 08:40 AM

Re: To keep the root password

Solution:-

implement Sudo or power broker

Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Vishu
Trusted Contributor

тАО11-06-2009 08:57 AM

тАО11-06-2009 08:57 AM

Re: To keep the root password

I agree.

Use sudo. i will prevent you to login directly with root or to anything with the root password.

i hope you find your answer.
0 Kudos
Reply
OldSchool
Honored Contributor

тАО11-06-2009 09:12 AM

тАО11-06-2009 09:12 AM

Re: To keep the root password

"have uncarelessly changed root password "....


right..and they probably did it by getting root access and typing

passwd

-instead of-

passwd

you could write a script that takes the place of the normal passwd command and prevents the first form...potentially messy

or you could set up passwordless login via ssh and keys allowing you access to the server to fix root's passwd when its accidentaly been changed. Still allows the root password to be changed accidentally, but gives you a way in to fix it without going into single-user mode.

I don't believe sudo will fix that issue, as the user with access to the passwd command can still use the first form of the command and "accidentally" change root's password.

PowerBroker might allow you to script this, but it would be a relatively expensive proposition. It could, however, allow you to identify the party(ies) that are doing this...

Unfortunately, technology doesn't fix carelessness....it can only mitigate the fallout.
0 Kudos
Reply
Tingli
Esteemed Contributor

тАО11-06-2009 11:06 AM

тАО11-06-2009 11:06 AM

Re: To keep the root password

sudo can do the trick since it doesn't need root password to get into root.
0 Kudos
Reply
OldSchool
Honored Contributor

тАО11-06-2009 11:14 AM

тАО11-06-2009 11:14 AM

Re: To keep the root password

right...I was thinking more along the lines of "stopping it from happening" in the first place.

of course, anything eliminates the need to hand out the "root" password willy-nilly would be a good thing.

Auditors / compliance officers must have a field day with this as it currently set-up
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.