My philosophy has always been to make root's password completely random for each manchine, document it somewhere secure, and then use sudo for all management requirements.
However, I've never worked in a situation where there were more than two or three active system admins for the entire network, so I'm not sure how scalable this method is (although it's much easier to copy /etc/sudoers around than /etc/shadow, assuming you already have a method for generating passwd file entries -- NIS or LDAP, or something more homegrown, which is what I'm prone to). Since root's password is random, and you're using sudo to gain su access, you then set up a key structure in which all root logins (for updating /etc/sudoers, or performing "pull" backups, for instance) in which only one or two machines -- preferably ones which are not accessable to anyone easily -- can root into the machines via ssh and private/public key pairs. The only time not knowing what a machine's root password becomes an issue is when it decides to go explodey and you've got to boot it into single user and do some maint on it. But you've got the root passwd documented (and possibly printed out and locked up in a Big Black Folder of DOOM in a fireproof safe hidden in the middle of the Yucatan), so that's only a minor inconvience. On Wed, Dec 04, 2002 at 01:15:58PM -0800, Mike Egglestone wrote: > Hi, > Is there a debian package for syncing root passwords on multiple servers? > If I had a 100 debian servers, and want the root passwords all be the same, > is there a util that will sync just the root password? > > or perhaps someone has a script they use? > > At first glance, its appears that I start with one server, > change the password, extract the encrpted line from /etc/shadow and somehow > copy this line to all other servers at /etc/shadow. > > Thanks for any suggestions! > > Cheers, > Mike > > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
