Hey everyone! I'm currently using SSH keys to access our servers, but every time I need to escalate privileges with sudo, I have to input the user's password. I want to avoid adding non-root users to the sudoers list, and I definitely don't want to use the same password for all my servers.
I'm looking for a password manager or a tool that can either be run on the servers or, ideally, something local that can feed the password to the active terminal session. I'm open to suggestions, so if you have any advice or alternative approaches, I'd really appreciate it!
Just to clarify, these are solely web servers with no end users involved. It's just for development and admin access.
2 Answers
It sounds like you're thinking about this the wrong way. Instead of trying to avoid putting non-root users in the sudoers list, you should consider adding them. Most modern Linux distributions actually disable the root account by default, allowing non-root users to perform administrative tasks through sudo. Just remember to carefully limit what those users can do, and it's usually a good idea to avoid NOPASSWD privileges unless you set a timeout for how long that's valid.
For managing access better, look into solutions like 1Password which can help manage SSH keys effectively. KeePass also has SSH agent functionality, but I'm not as familiar with it. Just keep in mind that having one unique key per user is generally more secure than using multiple keys across different hosts. In an enterprise, synchronizing accounts with a central identity management system can make everything easier!
Thanks for clarifying! It sounds like you have a solid system already with SSH keys. Just adding that extra layer for sudo is a good move. You might also want to look into some additional tools that manage sudo more effectively.
Have you checked out CentOS Identity Management? It’s an IPA server that lets you manage credentials across multiple systems. Plus, it has a web interface for managing sudo privileges, which could simplify your setup a lot!
Absolutely, if you're in an enterprise, it's best to leverage a centralized account management system for passwords. It helps ensure compliance with password standards and saves time on password resets since a help desk will usually handle those issues.