Re: How to manage passwords of lots of server?

[Vegar Westerlund <vegarwe () stud ntnu no>]

Ansgar -59cobalt- Wiechers:
> On 2008-05-21 MontyRee wrote:
> > Please share your valuable experience.
> >  
> > I  have operated thousands of linux and w2k servers in the datacenter.
> > So if I will change the admin(root) password, actually it is impossible..
> > (because there are so many servers..)
> >
> > Mainly I use ssh at linux and terminal server at windows server to
> > remote login.  
> >
> > So is there any good method or solution to solve this problem?
>
> On Linux:
>
> for server in SERVER_LIST; do
>   ssh root@$server \
>     "ssh -i -e 's/\(root\):[^:]:\(.*\)$/\1:PASSWORD_HASH:\2/' /etc/shadow"
> done

This is a great solution, simple cheap and effective (keep it simple
stupid). But if your managing thounsands of linux servers you _really_
do need a configuration system[0,1]. And most of them can do this for you, no 
stress.

I see some suggest using kerberos or LDAP. I usually use kerberos
for authentication and LDAP for authorization and therefor have both on 
regular system. But I wouldn't have a root account in any of these
systems, for that you should fallback to local /etc/shadow. Mainly
because if your authentication infrastructure is down or the server is
offline you still want to be able to login using root.

[0] http://reductivelabs.com/trac/puppet
[1] http://www.cfengine.org/

-- 
Vegar Westerlund