Search This Blog

Monday, September 1, 2014

How to automatically rotate the root password on cloud server

Description

I need to create a public cloud server and use it as a bastion in a secure way.
I hate the java/javascript console that you have to use when something doesn't work with your cloud.
I want to keep the root user enabled. As leaving the password authentication for root is a security risk we need to mitigate this.
By default the default loging method is going to be RSA public key.

The reason I want to keep the root user enabled is that you can easely reset its passwors using the https://mycloud.rackspace.com/ portal. Otherwise the root user should be practically not available.

We could leave it enabled but there is always a risk that somebody with enough time may want to try to hack us.

Problem

How to set up a root password rotation using Cron in Linux,

Solution
 
# crontab -l
# for debugging
# */10 *  *  *    *     echo root:$(/usr/bin/makepasswd --chars 15) | /usr/bin/tee /tmp/test.txt | /usr/sbin/chpasswd
  */10 *  *  *    *     echo root:$(/usr/bin/makepasswd --chars 15) | /usr/sbin/chpasswd

This mitigates the root password attacks and still gives us a possibility to reset the root password over the portal and login over a regular ssh session.

We don't care what the new root password is, if I need it I'll reset it on the myrack portal.