Linux - How to manage the password of root?

ssh root linux redhat

If they are using sudo, then it will ask for their password and not root password, therefore no root password change needed. Just be sure to give them proper privileges in /etc/sudoers file.


You don't need to worry about root password when using sudo. Perhaps, I would recommend to disable root password by issuing

sudo passwd -l root

Although, before you do that, make sure that you've a relevant system user with all the privileges.

You can always get root console by issuing

sudo -i

Following is a small script I use to provision my servers.

#!/bin/bash

set -e

addgroup sysadmin
adduser newuser
usermod -a -G sysadmin newuser
chmod u+w /etc/sudoers
echo "\n# Added by <YOUR-NAME>\n%sysadmin ALL=(ALL) ALL" >> /etc/sudoers
chmod u-w /etc/sudoers
su newuser -c "mkdir /home/newuser/.ssh"
su newuser -c "chmod 0700 /home/newuser/.ssh"
su newuser -c 'echo "<YOUR-SSH-KEY>" >> /home/newuser/.ssh/authorized_keys'
su newuser -c "chmod 0644 /home/newuser/.ssh/authorized_keys"

You may modify if according to your needs. Make it interactive, use a user vairable etc. :)

Enjoy!


There is one condition where you actually need the root password: if a filesystem is fails fsck when booting, you will typically be prompted to enter the root password to obtain a shell prompt where you can repair the damage. At that point, neither regular user accounts nor SSH will be available. If the sysadmin doesn't know the root password, then the only other option would be to boot from alternate media.


According to best practices:

  • root account should be set, and changed at least every 3 months.

  • Ssh login with root user should be forbidden

    /etc/ssh/sshd_config comment the following line:

    PermitRootLogin yes

  • Sysadmins should login with their own accounts and use sudo when escalated privileges are required.

  • Create a group and put all sysadmins users in it

    groupadd <sysadm_group>
    groupmod -A <user1>,<user2> <sysadm_group>

  • edit /etc/sudoers file.

    visudo

    Add at the bottom:
    %<sysadm_group> ALL=(ALL) ALL

  • Root password should be stored on secure location, and used only in emergency situations.

Related

Prevent linux from being replaced [closed]
Does HTTP get method rely on port 53 for DNS resolution?
Is there a reason to use internal DNS over 8.8.8.8?
Become own domain registrar
How is possible that the web site is down but the traceroute is ok?
Which parts to skimp on when buying a server? [closed]
Wordpress on AS/400 [closed]
*nix OS that is easy to update to latest software
What are some free utilities for securely wiping data from a floppy disk? [closed]
What is the optimum number of admins to server? [closed]
How to specify the log file for memcached on RHEL / CentOS
AirPods: listen to audio + record video + use microphones?