private servers sharing common root

[Mark Lane]

On Thu, Jun 24, 2010 at 12:02 PM, Mark Lane <lmlane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Thu, Jun 24, 2010 at 10:32 AM, teddy <teddy-5sHjOODPK7E at public.gmane.org> wrote:
>>
>> See a setup where they are building a lot of new servers.
>> To enable scripts and automation they all share a common root password.
>>
>> I have learned that the same passwords on multiple servers, especially the
>> same root
>> password is a recipe for an insane amount of work, especially if there is a
>> security
>> breach. Because ALL the servers with the common password must be considered
>> compromised.
>>
>> Now in this instance, these are private servers, not available to the
>> outside public.
>> They are relatively safe and secure. Nevertheless, if a security breach does
>> occur
>> they are all considered compromised.
>>
>> Can a bash script that sets up a common root password, somehow operate on
>> servers
>> with different root passwds?
>>
>> (Sorry if it sounds confusing. I am confused too at this time)
>> Perhaps in a few days I can repost with a clearer picture :)
>>
>
> Yes you can script a different password for each server. I seen a
> password store used where the passwords for different resources were
> in individual files and only users/scripts with the correct
> permissions could read it. You can also use ssh keys.
>
> However why do you need to log in as root to administer the box? You
> could just use sudo or create a less priviledged user to do you
> administration. How these servers authenticatiing? Are they using
> shared authentication through LDAP or NIS?
>
I mean administer by script as root.

-- 
Mark Lane <lmlane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists