[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sync root passwords?

My philosophy has always been to make root's password completely random
for each manchine, document it somewhere secure, and then use sudo for
all management requirements. 

However, I've never worked in a situation where there were more than two
or three active system admins for the entire network, so I'm not sure how 
scalable this method is (although it's much easier to copy /etc/sudoers 
around than /etc/shadow, assuming you already have a method for generating
passwd file entries -- NIS or LDAP, or something more homegrown, which
is what I'm prone to).

Since root's password is random, and you're using sudo to gain su
access, you then set up a key structure in which all root logins (for
updating /etc/sudoers, or performing "pull" backups, for instance) in
which only one or two machines -- preferably ones which are not
accessable to anyone easily -- can root into the machines via ssh and
private/public key pairs.

The only time not knowing what a machine's root password becomes an
issue is when it decides to go explodey and you've got to boot it into
single user and do some maint on it.

But you've got the root passwd documented (and possibly printed out and
locked up in a Big Black Folder of DOOM in a fireproof safe hidden in
the middle of the Yucatan), so that's only a minor inconvience.

On Wed, Dec 04, 2002 at 01:15:58PM -0800, Mike Egglestone wrote:
> Hi,
> Is there a debian package for syncing root passwords on multiple servers?
> If I had a 100 debian servers, and want the root passwords all be the same,
> is there a util that will sync just the root password?
> or perhaps someone has a script they use?
> At first glance, its appears that I start with one server,
> change the password, extract the encrpted line from /etc/shadow and somehow
> copy this line to all other servers at /etc/shadow.
> Thanks for any suggestions!
> Cheers,
> Mike
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Cyberpunk is dead.  Long live cyberpunk.

Reply to: