Lets say I have two racks with about 40 nix servers in them. I don't want to set all of the root user passwords all the same do I? If not how do you manage and keep up with all of the passwords?
Is an LDAP server a viable option to use with root logins?
Here are a few options, each with their own aspects of security and insecurity:
Of those options, I like the SSH keys one the most if you're in an environment where that makes sense. Because honestly, why have root passwords if you don't need to?
My Next favorite is keepass and lastpass. Random passwords are better than not-random passwords
The password-pattern option is categorically less secure than the other options, but certainly better than using passwords with a readily-discernable pattern.
Just to add to other answers an important distinction here is how many people need access to these passwords. If it's just one (yourself) then a password manager is likely the best solution.
However where you have multiple people making use of privileged generic accounts (like the root account in *nix) it becomes important to have things like tracking of who had access to what and when and also to allow for passwords to be given out temporarily and then changed easily.
For that solutions like CyberArk (which @mark-c-wallace mentioned in comments) are a good idea.
I don't want to set all of the root user passwords all the same do I?
no, you dont :) and you want to disable root-ssh-logins as well and use an admin-login that has sudo-rights for often.used tasks via ssh and a password-protected keyfile.
with a rack of 40 servers you should check a management-tools like puppet that creates all necessary users, logins, ssh-key-management, configs etc.
If not how do you manage and keep up with all of the passwords?
use strong passwords and stuff like keepass or the mentioned lastpass. dont use online-password-safes.
when you have ssh+keys enabled, you'll need passwords not that often, except for your ssh-keyfile and certain root-tasks, but the you have your pw-manager open and just c&p the passwords intro the console-app. if you use linux inserting a password into a terminal is just 3 clicks; quite comfortable for me.
Is an LDAP server a viable option to use with root logins?
i wouldnt allow root-logins except from a local console. ldap is nice for accounts, but i still would have 1 local account for login if ldap fails or is otherwise not available. and setup via pam'n'stuff is 8was at least 3 years ago) big PITA
There are a number of password managers out there that are designed just for the purpose. I just use Keychain which comes with OSx, but I've also heard good things about LastPass.
Here is a link that goes over a number of popular password managers.
Expanding on an answer from tylerl I have the following:
My thinking now is since my servers are locked in a cage and the only way to access the root account is by unlocking the cage and using the kvm it doesn't really matter if all root passwords are blank or just set to the same thing
You can use an enterprise based management system, e.g. Puppet for password management. Keepass for a local copy but it would be too complex. Its a lot easier using sshkeys and Puppet if you ask me. If the goal is securing the ability to LOG IN, this is as simple as configuring rules on the local machine to ONLY TRUST THEIR OWN NETBLOCK, while allowing OOB (out of band) management to ONE, and then going from there. This allows only ONE entry point as opposed to multiple points.
For example, suppose you are talking about say a /25 in your rack. NO ONE from the outside world needs to log into this except say yourself/admin. You could install rules on ALL machines to block all connections to services no one from the outside world should be accessing (RDP, SSH, telnet, whatever you want to block), have one server used as a dedicated proxy to connect to the others. That one server would have to be secured EXTREMELY well as it would contain sshkeys. But even that too, can be blocked, with a 10$ ethernet card for OOB management.
There are a lot of ways to protect and manage, but it all depends on how much time and money you want to invest doing things.
Use SSH Keys. There is just simply alternative, which is the reason you will not find any other solutions used in datacenters.
Create key:
ssh-keygen -t rsa -b 4096
Copy key to server:
ssh-copy-id <user>@<servername-or-ip>
Finish and secure the server:
ssh into the machine, and edit /etc/ssh/sshd_config such that PermitRootLogin is set to without-password instead of yes.
If others need password based ssh access, give them a second account to connect with, and let them use sudo afterwards.
