Has anyone here tried LAPS4Linux?
Posted by LeftTennant_Dan@reddit | linuxadmin | View on Reddit | 28 comments
I am looking for a way to rotate and store passwords for local admin accounts on domain joined Linux workstations and servers similar to LAPS on Windows. I was considering using a tool like Ansible or saltstack and build out a way to generate, deploy, and store passwords, but then I found this project: https://github.com/schorschii/LAPS4LINUX The ability to manage Linux local admin passwords with the same tool as Windows is appealing, but I am hesitant to trust something as important as password management to a random Github project. Has anyone tried this or have a better solution?
RiskNew5069@reddit
I utilize LAPS4Linux. I know I'm a bit late here. It works seamlessly with our Windows-based LAPS in server 2022.
MaxHedrome@reddit
why are you rotating passwords with no known compromise?
Hotshot55@reddit
Because it's best practice to rotate local account passwords
MaxHedrome@reddit
what year is it?
https://www.auditboard.com/blog/nist-password-guidelines/
Hotshot55@reddit
These aren't regular user accounts you ding dong. Local accounts like root should still have rotated passwords.
MaxHedrome@reddit
there's literally less of a reason to rotate local accounts
Coffee_Ops@reddit
You rotate them to prevent lazy admins from using the break glass once, and then storing it in 'passwords.txt' for use with their business critical jenkins pipeline.
It's also incredibly bad form to use the same root password on every system, so if you don't use a password rotation system you have the issues
Top_Possibility_555@reddit
Is LAPS4Linux must be installed on every Linux host on which it changes the password?
ZMcCrocklin@reddit
Root should be a 64-chraracter generated password & forgotten about. SSH should be set to NOT permit root login or password auth. Using ssh keys & disabling root login via SSH is standard security. Users with sudo access should be the only ones running tasks as root. Most of the time applications use their own user/group setup that doesn't require logging in to the server as root. For workstations, the disk should be encrypted with LUKS. The encryption passkey can be made easier to remember, but complex enough to make it difficult to crack. On top of that, someone with physical access can reset the root password if they can crack the encryption key. IMO, LAPS is unnecessary for Linux.
metromsi@reddit
LAPS is specifically designed for managing local administrator passwords on Windows systems within Active Directory environments. We've not used a root password for. Decades. If you have a system you need to break into then use usb drive to boot from for hardware so you can get acces to a system. Or on hyper-visor use an iso that you can boot your system in emergency mode.
Lastly why do windows thinking to manage Linux like windows it is not. It's like taking your Ford to a GMC dealer they can't work on it.
[ Moved: comment to proper chain ]
dhsjabsbsjkans@reddit
I am fortunate to have access to cyberark to autorotate the root password. If not I would likely do something with ansible and the Linux utility called pass.
You could also look into at setting up hashicorp vault. Not sure if it will stay opensource under IBM, but worth a look possibly.
metromsi@reddit
Disagree, LAPS is specifically designed for managing local administrator passwords on Windows systems within Active Directory environments. We've not used a root password for. Decades. If you have a system you need to break into then use usb drive to boot from for hardware so you can get acces to a system. Or on hyper-visor use an iso that you can boot your system in emergency mode.
Lastly why do windows folks treat linux like windows it is not. It's like taking your ford to gmc dealer they can't work on it.
dhsjabsbsjkans@reddit
Not sure you replied with this to me. Literally doesn't follow anything to do with my reply. Maybe an accident.
whetu@reddit
Your instincts are right. Use ansible or saltstack.
LeftTennant_Dan@reddit (OP)
That is what I am thinking. Finding a way to integrate with LAPS is temping given I am the lone Linux admin on my team, but I should trust my instincts and build out a solution myself unless there is a more well-trusted tool for this.
chuckmilam@reddit
I used to set the root password to something random with Ansible, I had no idea what it was on the different Linux systems. We'd use SSH keys/certificates for login and then sudo as required.
bufandatl@reddit
That’s kinda a bad idea. What if you wreck your sudoers then you can’t login with root on a KVM console to fix it. And I read further so I know you changed it. And you are even ahead of us we still generate a password in keepass and have to set it manually after installing a new VM. Which I would like to automate one day two. Guess time to look into some vault tools.
chuckmilam@reddit
No one should be editing /etc/sudoers when /etc/sudoers.d/* exists.
We use the Ansible sudoers module along with the "validate" argument for all our sudoers actions.
bufandatl@reddit
Yeah sure. But you‘ll never know. In the end we are all humans and shit sometimes happens. For example just a couple weeks ago crowdstrike nuked a chunk of hours server due to a compatibility issue. While it wasn’t sudoers but even worse LVM I only was able to login with root to the rescue shell. Was just an example with the wrecked sudoers file.
chuckmilam@reddit
Whew. Sounds not fun. I acknowledge not everyone has the luxury we do in our current environment, but if we are at the point where we need to grab a rescue shell, I just nuke and redeploy. Thankfully almost all of our goodies are in version control so tech debt is fairly minimal. If we were back in the days of manual checklist installs and tape backups…much different story.
bufandatl@reddit
Yeah not possible when it’s splunk servers or DB servers with active data of multiple terabytes per host. And all of that before I had my coffee in the morning.
chuckmilam@reddit
I was just triggered by the mention of Splunk. It’s like they deliberately work to ensure automation isn’t possible, or they’re just trying to sell consulting or something. (I’m also currently fighting their ancient internally-packaged version of python and older encryption ciphers talking to RHEL 9.x systems in FIPS mode.) I came from the Elastic world, where we could spin up new nodes in a cluster and migrate data shards live via API. But yes, I acknowledge that some environments aren’t as ephemeral and careful care and feeding is required.
bufandatl@reddit
Not my choice either. The security officer is using them and is application admin. But that then puts issues always into critical priority.
chuckmilam@reddit
Don’t get me started on how I’ve seen Splunk used as nothing more than an expensive, heavy pre-processor for eventual ingest into Elastic. Sunk cost fallacy and tech debt burden is heavy in some of the environments I support.
LeftTennant_Dan@reddit (OP)
The account is restricted to SSH key only for remote login. The only use for the password is as an emergency local login if a machine is having networking issues and a does not have cached credentials of a domain account
chuckmilam@reddit
Today, I'd likely do some kind of rotating unique password stored in Vault and managed with Ansible.
cyberboxster5@reddit
I have used a similar tool here. It generates a new password for the account specified, and then upload it to AD via ldapmodify. Both tools require the “legacy” version of LAPS that stores the password as a custom LDAP attribute unencrypted. The new Microsoft LAPS version announced last year is not compatible as far as I am aware. Read through and verify the source of either app before running.
skibumatbu@reddit
You could look at an enterprise privileged access management tool such as beyond trust, Cyber ark, or delinia.
They have the ability (using a local account and sudo rights) to store the password in a vault, control who has access to it, and then rotate it once used.
But... stupid expensive.