500 unique root passwords

by Chris Josephes

A friend of mine asked a question on a mailing list about how their root password policy. In a pool of 500 or so servers, the root password is changed at regular intervals, whenever there are personnel changes, or if a non-administrator learns what the password is. Each host gets a unique root password.

Each password is then recorded on a paper that is securely locked in the appropriate data center. It's used as a last resort password escrow. If a non admin person ever needed to, they could open the envelope and retrieve the root password that they needed.

With 500 servers, that procedure becomes a little bit of a burden. Changing the password is easy. Putting together 500 envelopes is a different matter. My friend asked about ideas on how to simplify the procedure. The only concern was he still required unique root passwords on each host.

One idea that came to mind was generating the passwords from a shared secret. By using a hashing function, a unique password could be created from the secret string and the hostname of the server.


use Digest::SHA1 qw(sha1_base64);


print substr(sha1_base64($host.$secret),0,8);

The downside to this is that the non-administrator would need some sort of host access in order to re-hash the password.
As an alternative, there are simpler substitution ciphers that could be used; the caveat is making sure that the cipher can still create unique root passwords that are significantly different from host to host.

Another issue is that the non-root user now has a secret that could potentially give him root access to many hosts. To minimize this, a different secret key could be used for each datacenter, or host group. Reducing 500 envelopes to 25 or 50 envelopes still improves password management significantly.


2006-04-04 03:21:08
Possible Solution?
create 500 envelopes with a random string in each. Concatenate this string with the global key and hash the result (do this for all 500 servers). The users now need both, the global key and the key in the corresponding envelope, so everytime you have to replace the root password you only have to replace the global key. If an single envelope is opened you can replace just this envelope.

What do you think?