UNIX for Advanced & Expert Users

Hi all,

As time progresses, the number of servers that I have to login to has grown to the hundreds.

Some of the servers has NIS so I can use one single password for this group of servers.

The hard part comes to when you have 20+ other servers that now require different passwords and different password rules. In this scenario, I am wondering whether anyone from this FORUM has a 'simple' way of being able to copy and paste passwords from an encrypted file when prompted instead of having to type it in.

At the moment, I am using Keepass, then I copy-and-paste the passwords from it into a text file that I crypt/decrypt and then delete after. I do this every so often that it is becoming tedious that I just keep the file and then crypt it to decrypt again at some stage -

Any advice will be much appreciated. Thanks.

How are you logging into these servers? ssh? I'm sure you've heard of ssh keys for passwordless login.

It of course presents a new problem, how to keep the key safe? You can put a password on the key, which makes it useless to steal, but then how does that help automatic logins?

ssh-agent allows you to type in a password once, to load the key and keep it resident for logging into remote hosts. I type the key password in once when I login in the morning to get passwordless access to my hosts all day. The agent quits when I logout.

Hi,

Yes, I use ssh but then I do a sudo su - <login>, for example sudo su - oracle, which I then have to supply my password yet again -

So in a way the passwordless stuff works on the first instance but not when I then need to do a sudo or is there a way that I can sudo su - where I won't be prompt for the password.

If there are sudo config settings to change, I can't do it as I am not the SA of the server

There is a choice of policy when setting up sudo rules. If your company has chosen to enforce passwords, (perhaps with an expiry time) then that is why you have the prompt coming up.

You would need to negotiate to get the policy changed, however the counter argument will be that if someone gets access to your session, then they can run privileged commands without verification.



Robin

Why not do ssh oracle@host instead of ssh username@host sudo su - oracle ?

Bottom line, if they're not willing to give you passwordless access to oracle, there's not really any effective, secure way to streamline that.