Project

General

Profile

Actions
Copy link

tickets #116710

closed

Gather missing root passwords

Added by crameleon about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
opensuse-admin
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2022-09-18
Due date:
% Done:

0%

Estimated time:
Tags:
discussion, vm

Description

Hi,

Our policy (https://en.opensuse.org/openSUSE:Infrastructure_policy#openSUSE_infrastructure_policy) suggests service administrators should store the root passwords of machines in our pass repository.
Currently only a fraction of root passwords is available there, causing the repair of service disruptions to be delayed due to having to inquire multiple people about access to various systems.

I propose we compare the passwords in the repository with the list of machines in our administration (Salt pillar?), and add the missing ones as part of the next Heroes meeting.
If a machine does not allow for a shared root password (be it technical or compliance reasons), the reason should be documented, with information on whom to contact instead.

As an alternative solution, which may be preferable as it helps with auditing, we could change the policy to demand sudo root access for all administrators in a certain LDAP group.

What do you think?

Best,
Georg

Actions
Copy link
 #1

Updated by bmwiedemann about 2 years ago

I think, we should avoid using such shared secrets as much as we can.

Normal login should be with ssh+key (with or without sudo) and the only time a rootpw will be needed is with the emergency shell that can only be accessed over serial/VNC by SUSE's infra team. And with that level of access, you can also just set your own rootpw when needed.

So instead of documenting more rootpws, we could also go the opposite route and clear all of them in /etc/shadow with * ( ! would block ssh-key login).

There might be exceptions for remote machines outside our KVM-clusters such as stonehat.o.o

Actions
Copy link
 #2

Updated by crameleon about 2 years ago

I agree, but to access the emergency shell, one needs to reboot the machine and which causes service disruption. In either case there should be one way how it's done on all, or at least the majority of, machines and it should be reflected with the policy. SSH key login and sudo access sound like a fine combination to me.

Actions
Copy link
 #3

Updated by cboltz about 2 years ago

  • Private changed from Yes to No

The decision in the 2022-10-06 heroes meeting was to replace the root password with * and to use sudo everywhere.

Actions
Copy link
 #4

Updated by crameleon about 2 years ago

  • Status changed from New to Closed

Closing in favor of #117667.

Actions
Copy link

Also available in: Atom PDF