Actions
tickets #117667
openRemove root passwords
Added by crameleon over 1 year ago. Updated 7 months ago.
Status:
Workable
Priority:
Normal
Assignee:
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2022-10-06
Due date:
% Done:
0%
Estimated time:
Description
As a result of #116710, we will replace root passwords with * and remove them from our pass repository after ensuring root access using sudo for LDAP users in the wheel group is functional.
Updated by crameleon over 1 year ago
- Tracker changed from communication to tickets
- Private changed from Yes to No
Updated by crameleon over 1 year ago
- Status changed from New to In Progress
Before testing sudo/wheel functionality I performed some basic tests.
- Machines I can generally access with my IPA account using SSH public key authentication:
rpmlint.infra.opensuse.org
gcc-stats.infra.opensuse.org
matrix.infra.opensuse.org
ci-opensuse.infra.opensuse.org
mybackup.infra.opensuse.org
mailman3.infra.opensuse.org
community.infra.opensuse.org
narwal5.infra.opensuse.org
mirrordb1.infra.opensuse.org
moodle.infra.opensuse.org
dale.infra.opensuse.org
new-forum.infra.opensuse.org
chip.infra.opensuse.org
lnt.infra.opensuse.org
jekyll.infra.opensuse.org
metrics.infra.opensuse.org
mickey.infra.opensuse.org
water3.infra.opensuse.org
water4.infra.opensuse.org
mirrorcache2.infra.opensuse.org
opi-proxy.infra.opensuse.org
scar.infra.opensuse.org
monitor.infra.opensuse.org
mx2.infra.opensuse.org
pinot.infra.opensuse.org
riesling.infra.opensuse.org
mx1.infra.opensuse.org
mx-test.infra.opensuse.org
tsp.infra.opensuse.org
pontifex2.infra.opensuse.org
etherpad.infra.opensuse.org
narwal6.infra.opensuse.org
backup.infra.opensuse.org
water.infra.opensuse.org
progress.infra.opensuse.org
svn.infra.opensuse.org
nue-ns1.infra.opensuse.org
nue-ns2.infra.opensuse.org
olaf.infra.opensuse.org
narwal7.infra.opensuse.org
mirrordb2.infra.opensuse.org
matomo.infra.opensuse.org
galera1.infra.opensuse.org
elsa.infra.opensuse.org
nuka.infra.opensuse.org
kubic.infra.opensuse.org
obsreview.infra.opensuse.org
pagure01.infra.opensuse.org
discourse01.infra.opensuse.org
riesling3.infra.opensuse.org
anna.infra.opensuse.org
minnie.infra.opensuse.org
narwal4.infra.opensuse.org
- Machines I encounter
Could not chdir to home directory /home/crameleon: No such file or directoryon (are we usingmkhomedir_helperin PAM?):
galera3.infra.opensuse.org
galera2.infra.opensuse.org
freeipa2.infra.opensuse.org
- Machines I encounter
Permission deniedon:
gitlab-runner1.infra.opensuse.org
ipx-galera2.infra.opensuse.org
mx3.infra.opensuse.org
status1.infra.opensuse.org
status3.infra.opensuse.org
ipx-galera3.infra.opensuse.org
ipx-galera1.infra.opensuse.org
ipx-narwal1.infra.opensuse.org
slimhat.infra.opensuse.org
mirrorcache-stats.infra.opensuse.org
gitlab-runner2.infra.opensuse.org
jenkins.infra.opensuse.org
forum.infra.opensuse.org
community2.infra.opensuse.org
mirrorcache.infra.opensuse.org
progressoo.infra.opensuse.org
pmm.infra.opensuse.org
mirrorcache-backstage.infra.opensuse.org
nala2.infra.opensuse.org
login3.infra.opensuse.org
mirrorcache-us-db.infra.opensuse.org
status2.infra.opensuse.org
provo-galera2.infra.opensuse.org
provo-galera1.infra.opensuse.org
nala.infra.opensuse.org
provo-ns.infra.opensuse.org
mirrorcache-us.infra.opensuse.org
provo-mirror.infra.opensuse.org
provo-proxy1.infra.opensuse.org
provo-gate.infra.opensuse.org
- Machines I can not reach:
ssh: Could not resolve hostname osc-collab2.infra.opensuse.org: Name or service not known
ssh: connect to host elections2.infra.opensuse.org port 22: No route to host
ssh: Could not resolve hostname provo-galera3.infra.opensuse.org: Name or service not known
Updated by crameleon 7 months ago
Revisiting this, thinking this might be a better solution:
https://clinta.github.io/random-local-passwords/
Avoiding common root passphrases, whilst allowing access to machine specific ones when needed for system recovery.
Updated by crameleon 7 months ago
Work in progress:
https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/735
Actions