Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Loosing root password

Status
Not open for further replies.
s2budd

s2budd

Technical User
May 15, 2001
30
0
0
GB
I need to create a secure "back door" root access to a unix
environment due to the current team managing and changing root passwords
very frequently and loosing one about once a month. This causes problems
- both political and locational
(many of the machines are spread throughout the world in different sites)

Possible solutions are:

1) Leave a machine logged in on a root window for every machine.
This is an option but not very practical and a bit of a security risk.

2: Set up a new user account, say ops with a UID of 0.
This would effectively create another root account and only use the account
log in and change the root password when it is lost.

Is it realy a security risk to create another account with UID=0 ?

3:
a. Set up a new user account ops (not with UID = 0)
b. Instead of a shell have the account run a script on login.
- something like /usr/local/pwchange.ksh
c. Install sudo and add user ops to command passwd

d. Script to look some
 
Sort by date Sort by votes
Sorry - lost the script info. Here it is:

script:
disable interupts from user
echo "Password change script - enter new password"
sudu passwd root
# end of script
 
Upvote 0 Downvote
Some organizations can handle having more than one root account, but if your organization is losing root's password about once a month, I think this might cause more problems than it solves for you.

Leaving a root login running all the time is even worse (in my opinion) than having two root accounts.

The script idea sounds good, but I'm wondering if you just have sudo installed, give the rights to change root's password to one login (that has to be su'd to so you know who is using that login) and just use sudo to change the password? That way you don't really need a script.

I also would suggest that your organization establish some rules on changing root's password and establish a routine of keeping the root password written down in a secure place (some places use vaults for this purpose). Make sure that people can't log in as root directly and keep a log of who is su'ing so you might have some idea who is changing the password and not letting folks know.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

egyassun
  • Locked
  • Question
SunOS confusing root directory and user home directory 1
Replies
4
Views
127
egyassun
egyassun
Raju12
  • Locked
  • Question
root disk
Replies
0
Views
31
Raju12
Raju12
cndcadams
  • Locked
  • Question
migrating a UFS root file system to a ZFS root file system
Replies
2
Views
65
cndcadams
cndcadams
armylogman
  • Locked
  • Question
Loosing identity of system Solaris 10
Replies
4
Views
20
armylogman
armylogman
AlStl
  • Locked
  • Question
Question for Unix gurus - password less sftp and ACLs Sun Solaris
Replies
5
Views
54
Annihilannic
Annihilannic

Part and Inventory Search

Sponsor

Back
Top