Good evening,

I'm thinking about implementing some way to manage passwords for our Linux/Windows servers based solely on security concerns and an ever growing number of servers.

How do you do it? How would you do it if you had the opportunity? What I have in mind is perhaps a key server with groups and dual authentication, or perhaps a key-ring of sorts?

  • 100,183
  • 32
  • 195
  • 326
  • 568
  • 2
  • 8
  • 18
  • 4
    Active Directory. – jscott Feb 10 '12 at 13:46
  • Active Directory is in use for office clients and such, but for multiple offshore servers, we need something else. – Lars Feb 10 '12 at 13:54
  • 1
    RODCs, LDAP, there's a lot more to AD than "office clients". – jscott Feb 10 '12 at 13:58
  • agreed. don't forget AD effectively includes an entire LDAP server stack that you can query and authenticate against. – Sirex Feb 10 '12 at 14:06
  • 2
    You are asking how to manage authentication of user accounts rather than managing a list of passwords right? – dunxd Feb 10 '12 at 14:09
  • Well, a bit of both I suspect, I have a few technicians and today we're using SSH/RDP with nothing but a username and password for each server, and what I want to do is both to make it individual as well as harden the whole infrastructure. – Lars Feb 10 '12 at 14:26

3 Answers3


Do you mean like active directory ? Currently that's how we do it, winbind + active directory. Given the choice (here) i'd use pam_ldap+active directory, and in a pure *nix setup i'd use openldap, maybe with kerberos if needed.

edit: oh and on a small network (like at home) puppet is usually pretty good, or maybe nis.

  • 5,447
  • 2
  • 32
  • 54
  • As I told jscott, these are servers offshore, and I'd like to use something more safe then just one single user and pass basically. – Lars Feb 10 '12 at 13:55
  • 2
    I'm with Sirex, AD is the way to go. You can throw AD on any little server, set up zones within domains and/or multiple domains within a forest, you can control which parts of the LDAP DB are synced where, there is a stripped-down limited-data version specifically for remote sites that are vulnerable and thus need a minimum surface of exposure, and it already works with every windows box, ever. Don't reinvent a weak, vulnerable, wobbly wheel when 20 years of MIT and Microsoft engineering is at your fingertips. – Mark Feb 10 '12 at 14:01
  • It's hard to tell without knowing your environment, but our offshore offices (and hence servers) have a domain controller for each group, typically 1 failover pair per country. Depends on your setup though, and what the servers "do". It depends largely on how many users and servers your talking about, how spread out they are (logically) and what your budget on money and time is. – Sirex Feb 10 '12 at 14:02
  • Thanks to both of you, I will make sure to dig down in to Active Directory properly before trying out different solutions. – Lars Feb 10 '12 at 14:27

You should still use something like Active Directory and set up a VPN between all offshore sites and your main office. The VPN will keep the traffic secure, while still allowing centralized management of credentials.

  • 100,183
  • 32
  • 195
  • 326

Alternatively I would look at something like keepass or passwordsafe, which a secure password manager. It's easy to use and can be quite helpful when needing to keep track of a series of different applications, servers, websites and etc..


Password safe

  • 200
  • 1
  • 1
  • 12