Symantec Privileged Access Management

Expand all | Collapse all

How to manage root account if direct root account login is disabled

Jump to Best Answer
  • 1.  How to manage root account if direct root account login is disabled

    Posted 11 days ago
    Hi SME 's ,

    I have a use case where due to security reasons , root direct login is disabled on few linux servers. How can I manage access and password for root account on those servers ?

    Regards
    Pankaj Kumar


  • 2.  RE: How to manage root account if direct root account login is disabled
    Best Answer

    Posted 10 days ago
    Hi Pankaj, This is a common use case. You define a user, say pamadmin, on the linux server that is allowed to run command "sudo passwd root" to change the root user password, and "su - root" to change to user root. You configure a target account for pamadmin with privilege elevation setting "Use elevated privileges" (sudo does not asks for the pamadmin password) or "Use elevated privileges with authentication" (sudo asks for the pamadmin password, this is recommended) under the UNIX tab of the target account editor. Then you create the root account and under the UNIX tab update the Change Process to have this account's password updated by account pamadmin, and also verified by account pamadmin. When you configure this, do not use auto-generated passwords for initial testing. Manually enter a new password. If something goes wrong, you know the old and new password. One of them has to be right.


  • 3.  RE: How to manage root account if direct root account login is disabled

    Posted 10 days ago
    Hi Ralf,

    Thanks for the information . I tried and found that its taking time to rotate root password . Is that normal ? . We have a policy to rotate password on connection end . So as soon as we try to access root again after connect ends , its showing Access denied. PAM appliance is 3.2.4

    Regards
    Pankaj Kumar


  • 4.  RE: How to manage root account if direct root account login is disabled

    Posted 10 days ago
    Hello Pankaj, "taking time" is not well defined, based on that I cannot make any statement as to what you observe is normal or not. Normal would be a single digit of seconds. You can follow the process by setting the tomcat log level to Info on the Configuration > Diagnostics > Diagnostic Logs page (don't forget to hit the Submit button, and it takes about 30 seconds to kick in). Trigger a password change, and then go back to the Diagnostic Logs page, select the Download tab and get recent tomcat log entries, or download the whole log. There will be many "Jsch" messages at the time the connection is established, followed by some messages from the script processor, and ending with some success message. Note that there will be an initial attempt to verify the new password (before it's set), so you will see a failed "su - root" command following a "start executing the default UNIX credentials verification script" message. This is an expected part of the workflow. Then there will be another SSH connection followed by message "start executing the default UNIX credentials update script", and then the actual commands executed in the update script. This should allow you to figure out which part of the process consumes most of the time.