private servers sharing common root

Fabio FZero fabio.fzero-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Jun 24 16:12:47 UTC 2010


Why not administer by script as root, but logging in from another
server using a SSH key? By doing this you simply don't have to worry
about passwords and the whole setup can become even more secure.

Don't forget that this works:

$ ssh root at server 'echo "This will run on the server, and could be any command"'

I did this all the time do manage my EC2 servers.

- FZ

On Thu, Jun 24, 2010 at 12:04, Mark Lane <lmlane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Thu, Jun 24, 2010 at 12:02 PM, Mark Lane <lmlane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>> On Thu, Jun 24, 2010 at 10:32 AM, teddy <teddy-5sHjOODPK7E at public.gmane.org> wrote:
>>>
>>> See a setup where they are building a lot of new servers.
>>> To enable scripts and automation they all share a common root password.
>>>
>>> I have learned that the same passwords on multiple servers, especially the
>>> same root
>>> password is a recipe for an insane amount of work, especially if there is a
>>> security
>>> breach. Because ALL the servers with the common password must be considered
>>> compromised.
>>>
>>> Now in this instance, these are private servers, not available to the
>>> outside public.
>>> They are relatively safe and secure. Nevertheless, if a security breach does
>>> occur
>>> they are all considered compromised.
>>>
>>> Can a bash script that sets up a common root password, somehow operate on
>>> servers
>>> with different root passwds?
>>>
>>> (Sorry if it sounds confusing. I am confused too at this time)
>>> Perhaps in a few days I can repost with a clearer picture :)
>>>
>>
>> Yes you can script a different password for each server. I seen a
>> password store used where the passwords for different resources were
>> in individual files and only users/scripts with the correct
>> permissions could read it. You can also use ssh keys.
>>
>> However why do you need to log in as root to administer the box? You
>> could just use sudo or create a less priviledged user to do you
>> administration. How these servers authenticatiing? Are they using
>> shared authentication through LDAP or NIS?
>>
> I mean administer by script as root.
>
> --
> Mark Lane <lmlane-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list