password practice

[we2aresame]

As an system admin, can anybody give me some suggestions how to manage over 100 servers's root password? Thanks.

 

[SamBones]

For any other username I would suggest a naming service like NIS+ or LDAP. But for root, you need to be able to log on even if a naming service isn't available. Keep them as a local login.

Set them all the same with no expiration. You can make an expect script or something to reset them all at the same time if you need to change it periodically.

Hope this helps.

 

[mdet]

This is a matter of infrastructure and it's design. Of course there are quick and dirty "solutions" for that. But you have to take into account the group of users, that will use the root account (which shhould be as small as possible) and how you implement password management in general (when to change, who is allowed to change, procedure of changing and so on). A very good survey of that things can be found at

http://www.infrastructures.org/papers/bootstrap/bootstrap.html

The things I have in mind for that is building up a system which relies on public key authentication (secure shell), so you won't need UNIX passwords anymore.
Another approach would be using sudo and authorizing the aforementioned group of users to change root's password arbitrarily (this would change the password very often and the only one who knows it is the one who changed it recently, the other members don't need to know it because they can change it as easy). Strange thing, but the more you think it over the more elegant it looks.

mdet.

 

[bi]

mdet, what would you gain by letting anyone on the sudo list arbitrarily change root's password?