Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
We are turning off remote root login to all of our SLES 11 SP2/3 servers. This is pretty standard most places, but I have become spoiled, I guess. I often ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2012
    Posts
    7

    A Question for Production Admins Regarding No Remote Root Login


    We are turning off remote root login to all of our SLES 11 SP2/3 servers. This is pretty standard most places, but I have become spoiled, I guess.

    I often do command line scripts to query many servers as root, in order to get config info or to push an updated file to many servers with one command. No password was necessary due to using ssh keys for root.

    I haven't figured out how to get my "expect" script to work properly from within a command line "for" loop. I was hoping the "expect" script would allow me to login to remote servers as a regular user via ssh keys, then use sudo to su - root, and then perform whatever root function I was intending to do, and then move on to the next server automatically.

    I need more ideas on how to get lots of work done as root with remote root login turned off. Do any of you production admins out there have any secrets you can share? How do you handle accessing many servers as root without having to type a pass phrase or password at every server with remote root login turned off? Has anyone tried creating a new user on multiple servers that has a root UID and GID?

    All ideas are greatly appreciated. Thanks.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,558
    Add yourself to the sudo group with the ability to do this: sudo su --command=script -
    That will allow you to su to root and run the command without using a password.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Oct 2012
    Posts
    7
    Quote Originally Posted by Rubberman View Post
    Add yourself to the sudo group with the ability to do this: sudo su --command=script -
    That will allow you to su to root and run the command without using a password.
    I have sudo privileges. That is not the issue. I'm not concerned with logging into one server. I am concerned with needing to login to 100 servers as quickly as possible and I don't want to type passwords at every server.

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,390
    We also dont have remote ssh root login.
    And yes: It is Best Practice.

    We maintain our multiple hundred machines via puppet.
    aka:
    - There are no manual changes to a production machine. Ever.
    - All needed services (apache, postgres, etc) are automated
    - The puppet manifests are in a git repository
    - If a OPS guy changes something, he first pushes to a new git branch named as the ticket number
    - another ops guy reviews the changes and either rejects them or does a SignOff + merge
    - the puppet master pulls changes automatically every 15min
    - all puppet agents will then get the latest manifests on the next puppet run (aka, another 15min)
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Oct 2012
    Posts
    7
    Thanks. I'm not familiar with Puppet. I'll look into that.

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,558
    Quote Originally Posted by dvbell View Post
    I have sudo privileges. That is not the issue. I'm not concerned with logging into one server. I am concerned with needing to login to 100 servers as quickly as possible and I don't want to type passwords at every server.
    Puppet is a good one. I'll check with our data center admins to see what we use besides that. I know we have multiplexing tools that allow file edits and other maintenance operations on 100's of machines at once.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  7. #7
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,390
    The tools I use (for readonly actions) are:
    parallel-ssh - PSSH: Parallel SSH Tools - Google Project Hosting
    Cluster SSH - Cluster Admin Via SSH | Free System Administration software downloads at SourceForge.net

    However, despite the argueable high amount of work to introduce puppet/chef/cfengine/ansible, automation is well worth the effort.
    - No more "Uniqe Snowflakes", aka machines that are so special, that noone dares to touch them
    - Implicit and dynamic documentation. The manifests describe your system. Everyone who can read them also knows what is going on where in the datacenter
    - manifests in a git repository provide the basis for change management and rollbacks
    You must always face the curtain with a bow.

  8. #8
    Just Joined!
    Join Date
    Oct 2012
    Posts
    7
    Are any of you familiar with SUSE Manager for automating tasks?

    Is Puppet supported? Can you buy support for it?

    Thanks again.

  9. #9
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,558
    Quote Originally Posted by Rubberman View Post
    Puppet is a good one. I'll check with our data center admins to see what we use besides that. I know we have multiplexing tools that allow file edits and other maintenance operations on 100's of machines at once.
    Well, I spoke with one of my operations people and while we use some home-grown tools, puppet is the currently preferred means of making sure all systems of a type are configured equally.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  10. #10
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,390
    I dont use suse, hence no experience with suse manager.

    Puppet can be bought as a commercial product along with support.
    https://puppetlabs.com/puppet/enterprise-vs-open-source

    However, note that this is not a turnkey appliance.
    Puppet essentially offers you a language to describe your datacenter.
    And like coding a program, the results depend on usecases and company specific demands.

    So my suggestion would be to first learn to use that tool with the open source variant
    and then later decide if you need the additonal features and support of the commercial one.
    You must always face the curtain with a bow.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •