Search This Blog

Monday, September 1, 2014

How to automatically rotate the root password on cloud server


I need to create a public cloud server and use it as a bastion in a secure way.
I hate the java/javascript console that you have to use when something doesn't work with your cloud.
I want to keep the root user enabled. As leaving the password authentication for root is a security risk we need to mitigate this.
By default the default loging method is going to be RSA public key.

The reason I want to keep the root user enabled is that you can easely reset its passwors using the portal. Otherwise the root user should be practically not available.

We could leave it enabled but there is always a risk that somebody with enough time may want to try to hack us.


How to set up a root password rotation using Cron in Linux,

# crontab -l
# for debugging
# */10 *  *  *    *     echo root:$(/usr/bin/makepasswd --chars 15) | /usr/bin/tee /tmp/test.txt | /usr/sbin/chpasswd
  */10 *  *  *    *     echo root:$(/usr/bin/makepasswd --chars 15) | /usr/sbin/chpasswd

This mitigates the root password attacks and still gives us a possibility to reset the root password over the portal and login over a regular ssh session.

We don't care what the new root password is, if I need it I'll reset it on the myrack portal.