I need to create a public cloud server and use it as a bastion in a secure way.
I want to keep the root user enabled. As leaving the password authentication for root is a security risk we need to mitigate this.
By default the default loging method is going to be RSA public key.
The reason I want to keep the root user enabled is that you can easely reset its passwors using the https://mycloud.rackspace.com/ portal. Otherwise the root user should be practically not available.
We could leave it enabled but there is always a risk that somebody with enough time may want to try to hack us.
How to set up a root password rotation using Cron in Linux,
# crontab -l # for debugging # */10 * * * * echo root:$(/usr/bin/makepasswd --chars 15) | /usr/bin/tee /tmp/test.txt | /usr/sbin/chpasswd */10 * * * * echo root:$(/usr/bin/makepasswd --chars 15) | /usr/sbin/chpasswd
This mitigates the root password attacks and still gives us a possibility to reset the root password over the portal and login over a regular ssh session.
We don't care what the new root password is, if I need it I'll reset it on the myrack portal.