tickets #116710
closedGather missing root passwords
0%
Description
Hi,
Our policy (https://en.opensuse.org/openSUSE:Infrastructure_policy#openSUSE_infrastructure_policy) suggests service administrators should store the root passwords of machines in our pass repository.
Currently only a fraction of root passwords is available there, causing the repair of service disruptions to be delayed due to having to inquire multiple people about access to various systems.
I propose we compare the passwords in the repository with the list of machines in our administration (Salt pillar?), and add the missing ones as part of the next Heroes meeting.
If a machine does not allow for a shared root password (be it technical or compliance reasons), the reason should be documented, with information on whom to contact instead.
As an alternative solution, which may be preferable as it helps with auditing, we could change the policy to demand sudo root access for all administrators in a certain LDAP group.
What do you think?
Best,
Georg
Updated by bmwiedemann over 1 year ago
I think, we should avoid using such shared secrets as much as we can.
Normal login should be with ssh+key (with or without sudo) and the only time a rootpw will be needed is with the emergency shell that can only be accessed over serial/VNC by SUSE's infra team. And with that level of access, you can also just set your own rootpw when needed.
So instead of documenting more rootpws, we could also go the opposite route and clear all of them in /etc/shadow with * ( ! would block ssh-key login).
There might be exceptions for remote machines outside our KVM-clusters such as stonehat.o.o
Updated by crameleon over 1 year ago
I agree, but to access the emergency shell, one needs to reboot the machine and which causes service disruption. In either case there should be one way how it's done on all, or at least the majority of, machines and it should be reflected with the policy. SSH key login and sudo access sound like a fine combination to me.
Updated by cboltz over 1 year ago
- Private changed from Yes to No
The decision in the 2022-10-06 heroes meeting was to replace the root password with * and to use sudo everywhere.