"Jeff Larsen" jlar310@gmail.com writes:
I'm wondering how the rest of the community is managing updates of root (and other local account) passwords in a virtual sprawl environment (or a physical environment with lots of hosts).
I have read about things like expect, puttycs, centralize with kerberos, etc.
the way I've seen it done at every large installation I've worked is some sort of auto-pushed password files for authorization, but no valid passwords in the password file (except for root as explained below) the authentication is either handled with ssh public keys (authorized_keys files distributed via rsync or NFS) or with kerberos. I like kerberos, personally, but the ssh authorized_keys setup is harder to screw up, and it works fine as well.
As for the root password, the best practice is to make it so that the root password is *only* useful once you have console. (Of course we have all disabled remote root login with password long ago- disable su and prune /etc/securetty - force your SysAdmins to use ksu or sudo instead of su if they log in remotely, and log.) - if you do this correctly, the root password becomes much less sensitive, and you can keep it in the password files you rsync around.
I worked at one place that used the rsync of the password file and ~user/.ssh/authorized_keys setup that had tens of thousands of servers. the copy became a bit more complicated than just an rsync, but the system did scale.