Although most work done as root is done via sudo, there are times when it is necessary to have access to the root password. (Generally for recovery scenarios).

To allow secure storage of the root passwords and ILO/ALOM passwords, pwsafe (http://nsd.dyndns.org/pwsafe/ has been installed on servers 1 & 2, it seems to be a derivitave of Counterpane's Passwordsafe. The homepage of the project is http://sourceforge.net/projects/pwsafe/

The pw database is synchronised once per hour from server01 to server02 for redundancy. A new user pwsafe has been added to both machines.

The pwsafe password must not be recorded anywhere it could be revealed, as its loss could potentially compromise all our systems.

Log in and su to pwsafe user. /home/pwsafe/bin contains the pwsafe application, examples of use are below:-

To see the usernames (servers) stored in pwsafe:-

[pwsafe@server01 bin]$ ./pwsafe -l
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/pwsafe/db/.pwsafe.dat: <Passphrase>
app01  -  root
app01-alom  -  admin
....edited list....

To see the password for a particular user (server):-

[pwsafe@server01 bin]$ ./pwsafe -u app01 -p -E  (or pwsafe -p mon01 )
Going to print login and password to stdout  <---------------------Note, this will print out so anyone can see!!
WARNING: pwsafe unable to use secure ram (need to be setuid root)
Enter passphrase for /home/pwsafe/db/.pwsafe.dat: <Passphrase>
username for app10: root
password for app10: topsecret (not really!)
[pwsafe@server01 bin]$

Useful switches:-

-l                         long listing (show username & notes)
-p, --password             emit password of listed account
-u, --username             emit username of listed account
-E, --echo                 force echoing of entry to stdout

Passwords do not have to be really long or excessively complex to be secure, see:- http://www.baekdal.com/insights/password-security-usability

Strong passwords can be created with the pwgen utility:-

[pwsafe@monitor01 ~]$   pwgen 8 10 -1
ea2HieGh
Thue4Voh
uNee3eek
xoNivo4c

chage changes the number of days between password changes and the date of the last password change.

[root@sys02 ~]# chage -I -1 -m 0 -M 99999 -E -1 <USERNAME>

where:-

  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS