SUMMARY: Root passwords

Chris Nespor (cnespor@eos.hitc.com)
Tue, 11 Mar 1997 10:36:29 -0500

The original post:

> Hello Sun Managers,
>
> I have been tasked with some new responsibilities. One of which is
> controlling root passwords on our machines.
>
> I would like to know how you handle root passwords in a fairly large
> environment (300 + servers and workstations).
>
> 1. How many passwords do you use?
>
> a. Is 1 password used for all machines ?
> or
> b. Is 1 password used for a groups of machines ?
>
> 2. How do you control the passwords ?
>
> a. Do you give a list out to the admins ?
> if so how do you prevent that list from being left
> at a user's desk ?
>
> 3. How do you handle changing root passwords ?
>
> a. How often ?
> b. Who does the change, 1 person or many ?
>
> Anything else you may do that I have not mentioned ?
>
> Thank you for your time and information.
>
> I will summarize.

#####################################

Fist let me say thanks to all who responded and sorry for taking so long
to summarize.

The replies were many, again thanks to:

Andrew Ho <andrew@taligent.com>
Daniel Baker <dbaker@hobbes.cuckoo.com>
fpardo@tisny.com (Frank Pardo)
Sean Ward <seanw@amgen.com>
Matthew Stier" <mstier@hotmail.com>
Chris Marble <cmarble@orion.ac.hmc.edu>
matthew zeier <mrz@3com.com>
robin.landis@imail.exim.gov
esilva@netcom.com (Eduardo E. Silva)
Movva Mohan Kumar <movvam@duettech.com>
uvaghela@one2one.co.uk (Umesh Vaghela)
D.White@mcs.surrey.ac.uk
poore@vistachrome.com (David Poore)
irac@gate.comdata.com (Ira Childress)
reynolds@acetsw.amat.com (John Reynolds)
iv08480@WPRT13.MDC.COM (C.Melville)
Reto Lichtensteiger <rali@meitca.com>
Jim Harmon <jharmon@telecnnct.com>
Rich Casto <rc@surreal.org>
bern@uni-trier.de
johnf@i84.net

The majority said they use 1 password per group of machines i.e.. 1 for
development 1 for workstations etc.. This keeps the total number of
root passwords to a minimum. The 4 or 5 passwords are then memorized by
the administrators.

Many people use 1 root password for all machines. The password is known
only by a few key people. Root access to the machines is controlled by
sudo http://www.courtesan.com/courtesan/products/sudo/.

Others use a pattern using some letters from the node's name, an
arbitrary non alphabetic character and a nonsense syllable. (The non
alphabetic character and nonsense syllable are the same for all systems
..) For example:

The pattern may be the 3rd to the 5th characters of the hostname (4th
capitalized to mix things up a bit ...), followed by a #, followed
by "gah"

So for corniche.hsl.meitca.com the root password might be: rNi#gah

If you know the pattern, you have access to all systems.
Daniel Baker (dbaker@cuckoo.com)

################################

esilva@netcom.com (Eduardo E. Silva) had the following:

This is a very common problem in large environments. On method I have
used in the past is to:

) Create 'root' accounts for sys. admins.:

root:x:0:1:Super-User:/:/usr/bin/ksh
rnespor::x:0:1:Chris Nespor ROOT:/usr/root/rnespor:/bin/ksh
rsilva::x:0:1:Ed SilvaROOT:/usr/root/rsilva:/bin/ksh
r<...>::x:0:1:Chris Nespor ROOT:/usr/root/<...>:/bin/ksh

if you have NIS/NIS+ add the 'root' accounts there. This lets
each sysadmin have their OWN root accounts on all systems, and keep
root the same on all hosts.

################################

irac@gate.comdata.com (Ira Childress) provided the following script to
change root password from a trusted host:

The script I sent you has to be kicked off by root. The machine that
runs the script must have root access (.rhosts file) to all the machines
that it is going to change. The list of machines can be a file with
little modification to the script. With some inventiveness, groups of
machines could be set up with lagging passwords. (See the last part of
the script that changes the development machines).

Hope this helps.

Ira

#!/bin/sh
#
# Monthly update of passwords on key servers
#
# Written by Ira Childress
# Date: 09/01/95
#
DEV_PWD=`cat /etc/passwd | head -1 | cut -f2 -d:`
echo "Changing root password on servers. Start with
this server first:
"
status=`passwd root`
status=`echo $status | awk '{print $7}'`
if [ "$status" = "Mismatch" ] ; then
echo "Mismatch. The passwords you entered do not match. Try again."
exit
fi
NEW_PWD=`cat /etc/passwd | head -1 | cut -f2 -d:`
echo ""
echo "Processing Solaris machines:"
for sys in cdm cdm02 cdm03 cdm04 cdm06 3480serv ibm_rmt con1 cs_253
cs_254 homedir dns_host 3480old parser2 parser3 parser4 ; do
/usr/5bin/echo "Updating $sys... \c"
rcp $sys:/etc/shadow /tmp/x
OLD_PWD=`cat /tmp/x | head -1 | cut -f2 -d:`
cat /tmp/x | sed "s'${OLD_PWD}'${NEW_PWD}'" >/tmp/y
rcp /tmp/y $sys:/etc/shadow
rm /tmp/y /tmp/x
echo Done.
done
echo ""
echo "Processing Sun O/S machines:"
for sys in comdata amassims ; do
/usr/5bin/echo "Updating $sys... \c"
rcp $sys:/etc/passwd /tmp/x
OLD_PWD=`cat /tmp/x | head -1 | cut -f2 -d:`
cat /tmp/x | sed "s'${OLD_PWD}'${NEW_PWD}'" >/tmp/y
rcp /tmp/y $sys:/etc/passwd
rm /tmp/y /tmp/x
echo Done.
done
echo ""
#
# Development machines use previous months passwords
#
echo "Processing development machines:"
for sys in cdev cdev-ii ; do
/usr/5bin/echo "Updating $sys... \c"
rcp $sys:/etc/shadow /tmp/x
OLD_PWD=`cat /tmp/x | head -1 | cut -f2 -d:`
cat /tmp/x | sed "s'${OLD_PWD}'${DEV_PWD}'" >/tmp/y
rcp /tmp/y $sys:/etc/shadow
rm /tmp/y /tmp/x
echo Done.
done
echo "
Processing completed. Terminating."

#############################

As far as changing the passwords:

Except for the script above from Ira Childress most people change root
passwords by hand.

The frequency was determined by the following factors:

1. When an admin leaves the company.
2. If the password has been compromised.
3. A schedule that varied from 3 weeks to 2 years depending on the site.

Thank You,

--Chris Nespor

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~                                                ~
~     Chris Nespor                               ~
~     NASA's Earth Observing System              ~
~                                                ~
~     Hughes Technical Service Co.               ~
~     1616 McCormick Drive                       ~
~     Landover, MD 20774-5372                    ~
~     PH: 301.925.1143 / FAX 301.925.0419        ~
~     Email: cnespor@eos.hitc.com                ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~