• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Good way to manage password changes?

Scarpozzi

Scarpozzi

Lifer
I'm probably going to scale up to around 40-50 servers again soon that I have to manage. There are security policies that require me to change the root & admin passwords on these systems monthly.

Is there a good way to automate this somehow without too much risk of something going wrong...or am I going to need to schedule a few days to knock all these changes out? I thought about configuring the servers for LDAP or TACACS, but didn't know how that'd work with root. Anyone have any experience with that sort of thing?
 
I generally did manual root password changes on my systems. Every system would get a unique root password. It was a PITA, but the process worked. Run password generating script, ssh to server, change password, ssh to server again and su to root to test.
Monthly is too short though. 90 days is about right. Change the policy. 😉
 
Originally posted by: n0cmonkey
I generally did manual root password changes on my systems. Every system would get a unique root password. It was a PITA, but the process worked. Run password generating script, ssh to server, change password, ssh to server again and su to root to test.
Monthly is too short though. 90 days is about right. Change the policy. 😉
Click to expand...
Believe me, I want to...my understanding is they're enforcing password policies on some Solaris servers and all lesser servers are following the same policy for the heck of it.

I've only been here a month and a half, so I'm going to hold out a bit longer before I start changing current policy. That's all I've been doing is SSHing to the servers and changing them...honestly, my systems won't need the changes as frequently because root won't be used for anything and will be disabled across all ssh daemons. (unlike some current systems in production)
 
There's some documentation out there on how short password expiry times encourage people to write down passwords (most likely insecurely). Might help with the fight later. 😉
 
Originally posted by: n0cmonkey
There's some documentation out there on how short password expiry times encourage people to write down passwords (most likely insecurely). Might help with the fight later. 😉
Click to expand...
We're using an encryption tool to distribute them to the other admins...so yeah, they're all written down in an encrypted DB that's on everyone's desktop. I'm going to see about getting an OpenLDAP or other free LDAP solution up and running so I can at least reduce the number of non-root changes I have to do. We've got a lot of secondary accounts that don't really need to be manually replicated. 😛
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top