Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all, Im looking for a good ssh password/key setup for a system administration of multiple servers. The ideal one will be one that can be at the same time ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    4

    SSH setup for the multiple server admin


    Hi all,

    Im looking for a good ssh password/key setup for a system administration of multiple servers.

    The ideal one will be one that can be at the same time comfortable and secure, but after thinking a lot around the problem, no solution seems acceptable.

    Basically I arrive to these 2 setups:

    One where every server has a strong (and unique) root password. To manage them, instead of logging with the password, I added a password'ed public key to their authorized keys.

    I can login to all of them with the combo of the private key / private key passphrase from any computer.

    Problems: Direct root login allowed.

    The other one:

    Direct root login disabled. Same setup with private key to login to a user account with su permission. Once logged as user, use su to login as root (must type root password).

    Problems. Not very comfortable to retrieve each server root password. More comfortable, use a one for all root password (taking in account that no direct root login is allowed).

    What do you think is better? Do you know any other good setup? Please... share!!!

  2. #2
    Linux Engineer Thrillhouse's Avatar
    Join Date
    Jun 2006
    Location
    Arlington, VA, USA
    Posts
    1,377
    What about passwordless public key auth with root login disabled? You'd need possession of the private key to log in but you wouldn't have to enter a password for the keypair; you'd only need the root password to su to. And if the root password is the same for all systems and you change it often enough, that would suffice for me.

    This seems to be the best compromise between the two options you posed but not necessarily the best one. For me, that would depend on other factors: are these outward- (i.e. Internet) facing systems? How valuable are the data/services you're trying to protect? Are they production or development servers? Etc.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,440
    1) From outside:
    ONLY one server, and _not_ neccessarily the obvious choice - the gateway- exposes port 22.
    This server does not accept passwords, only key auth.
    Ensure by policy that everyone with a key has a passphrase on the private key.
    From this server, jump to the one that needs actual attention.

    From inside:
    All servers can be reached via ssh.
    Key auth is encouraged, but passwords are possible

    2) No remote root login at all

    3) Login as normal user
    This will allow trackback, who was actually logged in at a certain time.

    4) "sudo su -" to become root. Correctly set up, it will ask for the _user_ password.
    It creates awareness, that you are root now. I will spare you the spiderman quote
    The sudo approach has the advantage, that you dont have to tell the root password
    to a new colleague at first.
    Sure, he can set a new one. But he still doesnt know the actual one.
    (and his new root password would be set back next time cfengine/puppet do their magic. See 6) )

    5) Do not use ldap or similar for users that can become root. They need local passwd/shadow accounts.
    In the above setup, if the ldap server fails, you would not be able to login to any server.

    6) Use a central configuration tool like cfengine or puppet to ensure, that root and the admin-users are
    a) set up on any server
    b) every admin-user / root has a consistent password throughout all servers.

    7) You can also use cfengine or puppet to change admin-users passwords on all servers at once



    just my 2cents

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,440
    One more thing.
    If
    you want to avoid the additional complexity of learning cfengine/puppet
    AND if the total number of servers is reasonable low (e.g. < 10 )
    then
    you can still keep root / admin user accounts in sync with -for example- cssh.
    Cluster SSH - Cluster Admin Via SSH | Get Cluster SSH - Cluster Admin Via SSH at SourceForge.net

    This parallelizes manual jobs, that have to be done on several servers.
    e.g.
    Code:
    cssh server1 server2 server3
    opens 4 windows:
    3 terminals to the servers
    1 small window. Everything you type there will be done on the 3 server simultanously

    Two commands later, the 3 servers have a new root password.
    Code:
    sudo su -
    passwd
    If the number of servers grows, I would definitely take a look at cfengine/puppet.
    For as much tasks as can be automated.
    One time effort of implemeting logic in cfengine/puppet to get rid of re-occuring tasks
    results in: more time for newer and shinier jobs

  6. #5
    Just Joined!
    Join Date
    Oct 2007
    Posts
    4
    Thanks all for your answers !

    After 3 terrible days of headache with all this matter, I finally arrived to a solution with your help.

    Basically I have enforced private key and disabled root login. I have added the users who need to do root things (actually just 2 to different servers) to the sudoers file, so the root password is safe now.

    Irithori, I already bookmarked this thread, there is a lot of things that I like to review like the cfengine/automation tools. Thanks a lot for sharing!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •