More Secure Efficient Way To Setup User Account Password Question
by danmartinj from LinuxQuestions.org on (#5F04X)
Hello,
I have been asked a couple questions that I cannot seem to find the answers to. In this instance Group A are the admins, Group B are the operators with a common service account. Group B needs to have a service account with same name/password applied to all server builds.
Basically we are trying to find the best (most secure/efficient) way to share/setup accounts.
Currently, the method is: Group A setups machines, then gives Group B the temp/random password and then Group B changes the password to match service account. However, this creates a lot of management work on both sides and it is exhausting honestly.
We are thinking about 3 other possible options:
Option 1. Group A/B sets up a temp password that never changes so Group B can change the temp password whenever the way.
Option 2. Group A/B shares the service account password (NOT IDEAL because now lots of people might know password)
Option 3. Since Group A is admins on all machines what if we just have them copy user hash to new machines. that way the password is never revealed, there is no transmission of credentials between teams, and it seems like it is the best option.
So, I am just hoping to bounce some ideas of some smarter people than myself.
Thanks,
joe
I have been asked a couple questions that I cannot seem to find the answers to. In this instance Group A are the admins, Group B are the operators with a common service account. Group B needs to have a service account with same name/password applied to all server builds.
Basically we are trying to find the best (most secure/efficient) way to share/setup accounts.
Currently, the method is: Group A setups machines, then gives Group B the temp/random password and then Group B changes the password to match service account. However, this creates a lot of management work on both sides and it is exhausting honestly.
We are thinking about 3 other possible options:
Option 1. Group A/B sets up a temp password that never changes so Group B can change the temp password whenever the way.
Option 2. Group A/B shares the service account password (NOT IDEAL because now lots of people might know password)
Option 3. Since Group A is admins on all machines what if we just have them copy user hash to new machines. that way the password is never revealed, there is no transmission of credentials between teams, and it seems like it is the best option.
So, I am just hoping to bounce some ideas of some smarter people than myself.
Thanks,
joe