We are a relatively small shop (as far as number of sysadmins) with a mix of RHEL, Solaris, Windows 2003 and Windows 2008 servers; about 200 servers in all.
For our administrator accounts (root in Linux and admnistrator in Windows), we have a password scheme that depends on the data center location and a couple of other documented properties of the server.
On Linux, our current practice is to create a shared non-privileged account where we could su to root. On Windows-based systems, we create an additional account with administrator privileges. Both of these accounts share the same password.
This has proven to be very inefficient. When somebody leaves our shop, we have to:
- Change the password scheme for the administrator accounts
- Generate a new administrator password for each and every server
- Come up with a new non-administrator account password
- Touch every server and change the passwords
I wanted to know if anyone in a similar environment can suggest a more sane way of managing these credentials. Some relevant information:
- Although most of our servers are part of our AD domain, not all are.
- We manage all our Linux servers with Puppet (key authentication was an option I thought of but it will only address the #3 concern from above).
- We provision Linux severs with Cobbler.
- About 10% of our hardware is dedicated to VMWare. In those cases, we use VMWare templates for server builds.
Any ideas or suggestions will be greatly appreciated. This is a problem that has been lingering for some time and I finally want to resolve it.
Best Answer
A few suggestions I would have are:
Windows AD connected servers can have their local administrator passwords set through group policy by using either Group Policy Preferences (GPP) or a computer startup script. See http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b1e94909-bb0b-4e10-83a0-cd7812dfe073/
Limit creation of local accounts on Windows servers unless required. Use AD accounts when possible.
Use LDAP for Linux computer to authenticate administrator accounts to AD. This simplifies account management somewhat. And when an admin leaved just disable in one place and no access, then you can clean up the Linux side at your leisure.
Use /etc/sudoers file for specific admin account on linux then the admins don't need the root password. This may be good in your instance because then they will rarely need the root password so it can be locked away. Updated
Keep root and local administrator passwords in a password safe not general knowledge. Some password safes have delegation and logging so you may not even need to reset a password if the person never had access to it.
Automate password reset process for root and admin accounts. Both Linux and Windows can be scripted to do this so it may save you some time and not make it so much of a burden.
Hope that helps.