5

We have just deployed a couple of Linux server. Each sysadmin will have his own account on the server (i.e.: jsmith), and will connect using SSH with a certificate which will be put into the "authorized_keys" file in their home directory. Once connected on the server, if they want to issue an elevated command, they will do like:

sudo ifconfig

They will then enter the root password.

What I would like to know now are the best practices in managing that root password. Should I change it periodicaly? And how do I share that new password with the sysadmins?

**Of course I will disable the root logon in SSH.

Jonathan Rioux
  • 1,938
  • 6
  • 33
  • 57
  • 3
    Your example , sudo ifconfig, should be changed : Regular users can use ifconfig to display network interfaces by typing /sbin/ifconfig, without sudo. –  Oct 29 '12 at 14:42
  • Actually I like Ubuntu's approach: root has no password! – amyassin Oct 30 '12 at 12:36

5 Answers5

24

If they are using sudo, then it will ask for their password and not root password, therefore no root password change needed. Just be sure to give them proper privileges in /etc/sudoers file.

samir
  • 341
  • 1
  • 3
  • This is a common misconception. And sudo only prompts for "password", so there's no way to know it wants the user password until you actually try it. – gbarry Oct 29 '12 at 17:19
  • 1
    Also, please look into only allowing these account access to the exact commands you wish to allow them to run. You can do this more easily by creating a **group** and assigning the permissions in sudo (via visudo) to said group. – earthmeLon Oct 29 '12 at 18:06
  • 5
    Unless sudo has been configured with the "targetpw" option - if it is, then the password of the destination user will be required. – Frands Hansen Oct 29 '12 at 19:24
  • 2
    @FrandsHansen did not know about the targetpw option. interesting 'feature' – samir Oct 29 '12 at 20:49
  • 3
    @samir, the targetpw option is often used if sudo is there for the matter of auditing rather than allowing easy access. Having that option ensures, that only people who has root access can use sudo, and it is often implemented when also limiting the usage of "su". One can always do "sudo su" but that would be logged (and shipped off instantly in the event of remote logging). Does that make sense? – Frands Hansen Oct 29 '12 at 22:42
  • @FrandsHansen, I get this auditing part (quite an interesting point, need to remember it), but I don't have that much experience with su to understand this second part. Will try to do some reading on the su command for better understanding (I might have read it and missed it too) – samir Oct 29 '12 at 23:13
6

You don't need to worry about root password when using sudo. Perhaps, I would recommend to disable root password by issuing

sudo passwd -l root

Although, before you do that, make sure that you've a relevant system user with all the privileges.

You can always get root console by issuing

sudo -i

Following is a small script I use to provision my servers.

#!/bin/bash

set -e

addgroup sysadmin
adduser newuser
usermod -a -G sysadmin newuser
chmod u+w /etc/sudoers
echo "\n# Added by <YOUR-NAME>\n%sysadmin ALL=(ALL) ALL" >> /etc/sudoers
chmod u-w /etc/sudoers
su newuser -c "mkdir /home/newuser/.ssh"
su newuser -c "chmod 0700 /home/newuser/.ssh"
su newuser -c 'echo "<YOUR-SSH-KEY>" >> /home/newuser/.ssh/authorized_keys'
su newuser -c "chmod 0644 /home/newuser/.ssh/authorized_keys"

You may modify if according to your needs. Make it interactive, use a user vairable etc. :)

Enjoy!

vagarwal
  • 855
  • 6
  • 8
2

There is one condition where you actually need the root password: if a filesystem is fails fsck when booting, you will typically be prompted to enter the root password to obtain a shell prompt where you can repair the damage. At that point, neither regular user accounts nor SSH will be available. If the sysadmin doesn't know the root password, then the only other option would be to boot from alternate media.

200_success
  • 4,771
  • 1
  • 25
  • 42
  • 1
    Is that really necessary? Can't you just start the computer and set init=/bin/bash, and then change the password for root? – miono Oct 29 '12 at 20:44
  • In that case, you may boot in recovery mode to run fsck and even set root password. You don't necessarily need to boot from alternate media. – vagarwal Oct 30 '12 at 11:32
2

According to best practices:

  • root account should be set, and changed at least every 3 months.

  • Ssh login with root user should be forbidden

    /etc/ssh/sshd_config comment the following line:

    PermitRootLogin yes

  • Sysadmins should login with their own accounts and use sudo when escalated privileges are required.

  • Create a group and put all sysadmins users in it

    groupadd <sysadm_group>
    groupmod -A <user1>,<user2> <sysadm_group>

  • edit /etc/sudoers file.

    visudo

    Add at the bottom:
    %<sysadm_group> ALL=(ALL) ALL

  • Root password should be stored on secure location, and used only in emergency situations.

fireto
  • 164
  • 3
  • 1
    Depending on how sshd has been compiled, it may not be enough to comment that line out to prevent root ssh logins; it may be necessary to explicitly set `PermitRootLogin no`. Don't forget to restart sshd once you've changed this. – MadHatter Nov 02 '12 at 10:19
  • The canonical name for `` is `wheel` – Hubert Kario Nov 02 '12 at 10:39
1

My Notes about sudo: (PLEASE NOTE - my notes are just my collection from our very own google only. i post them because it may help newbies, slow-learners like me;).. if you say the info isnt correct, or just a copy from wiki, or plagiarism, blah blah blah, then let me know thru a comment, i would be very happy to delete my post, than your down-votes )

From wiki page:

  1. Unlike the su command, users typically supply their own password to sudo rather than the root password.
  2. sudo is able to log each command run. Where a user attempts to invoke sudo without being listed in the sudoers file an error is presented to the user indicating that the attempt has been recorded in the system log.
  3. sudo may be configured to require the root password, or no password at all
  4. This file MUST be edited with the 'visudo' command as root. from wiki - visudo is a command-line utility that allows editing of the /etc/sudoers file in a safe fashion. It opens /etc/sudoers, using the vi editor's interface by default (although this can be changed by setting the shell's EDITOR environment variable to a different text editor), prevents multiple simultaneous edits with locks, performs sanity checks and checks for parse errors.
  5. The runas command provides similar functionality in Microsoft Windows but cannot pass current directories, environment variables or long command lines to the child. And while it supports running the child as another user, it does not support simple elevation. A true su and sudo for Windows that can pass all of that state information and start the child either elevated or as another user (or both) is included with Hamilton C shell.
  6. There exist several frontends to sudo for use in a GUI environment, notably kdesudo, and gksudo

From man page:

To get a file listing of an unreadable directory:

% sudo ls /usr/local/protected

To list the home directory of user yazza on a machine where the filesystem holding ~yazza is not exported as root:

% sudo -u yazza ls ~yazza

To edit the index.html file as user www:

% sudo -u www vi ~www/htdocs/index.html

To shutdown a machine:

% sudo shutdown -r +15 "quick reboot"

FAQ and Troubleshooting Tips

http://www.sudo.ws/sudo/troubleshooting.html

Invent Sekar
  • 491
  • 1
  • 4
  • 5