[TriLUG] Root password management question
Kevin Flanagan
kevin at flanagannc.net
Fri Aug 1 20:37:10 EDT 2008
We have a rapidly growing group of VMWare ESX hosts, they are sort of RedHat
under the hood. In just a few weeks we will be well over 100 hosts.
We have some ideas, but please help me out with how folks manage root
passwords on that many hosts that you can't put agents on.
We have requirements from Information Security folks that no one person
should be able to get in to such a privileged account by themselves.
We currently have some good practices in place, those who log on must use
their own account, then sudo to do anything. Unfortunately there are a few
things in VmWare that take root level access, adding a host to the cluster
most often event. Those accounts use LDAP to auth to our Active Directory,
and only members of a specific group are allowed to log on to those hosts.
We have some other infrastructure things that may help.
RSA servers, these provide RADIUS auth via tokens without an agent,
just tell PAM to use RADIUS
LDAP, we have a large Active Directory infrastructure
ESX has an "Emergency console", the highest VT bypasses PAM and uses files
for auth no matter what.
We are not at all opposed to making a different account that is UID/GID 0/0,
that may do the things that we want to do with root, perhaps that could
help.
We're open to a lot of things, but not to putting agents on these hosts.
Ideas?
Thanks in advance for all the help!
Kevin
More information about the TriLUG
mailing list