Best Practices for Multi-Admin Root Access Management in Linux Server Environments


9 views

Managing dozens of Debian servers with multiple administrators presents unique security and operational challenges. The traditional approaches each have significant trade-offs that impact security, accountability, and workflow efficiency.

This common but problematic approach involves adding all admin public keys to ~root/.ssh/authorized_keys:

# Example authorized_keys entry
ssh-rsa AAAAB3NzaC1yc2E... comment@admin1
ssh-rsa AAAAB3NzaC1yc2E... comment@admin2

While simple, this method completely eliminates accountability. All changes appear as "root" in logs, making incident investigation impossible.

The sudo approach provides better auditing through individual accountability:

# /etc/sudoers configuration
%admins ALL=(ALL:ALL) ALL
Defaults logfile=/var/log/sudo.log
Defaults log_input,log_output

However, this breaks SSH agent forwarding and creates workflow friction for common administrative tasks.

The unconventional multiple-root-user approach would involve entries like:

# /etc/passwd excerpt
admin1:x:0:0:Admin One:/root:/bin/bash
admin2:x:0:0:Admin Two:/root:/bin/bash

While technically possible (Linux only checks UID for privileges), this violates POSIX standards and may cause unexpected behavior with security tools.

For teams needing both accountability and convenience, consider:

  1. Create individual admin accounts
  2. Implement SSH certificate authentication
  3. Configure pam_exec to log SSH certificate details
  4. Use sudo with comprehensive logging
# Example SSH CA configuration
# In /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/ca.pub

# PAM logging script
#!/bin/bash
# /etc/pam.d/sshd: auth required pam_exec.so /usr/local/bin/log_ssh_cert
echo "$(date) ${PAM_USER} authenticated with cert ${SSH_AUTH_INFO}" >> /var/log/ssh_auth.log

For comprehensive auditing across all servers:

# Rsyslog configuration for sudo commands
# /etc/rsyslog.d/sudo.conf
if $programname == 'sudo' then @loghost:514

Combine this with tools like:

  • auditd for system call monitoring
  • osquery for real-time system state
  • ELK stack for log analysis

To reduce sudo friction:

# .bashrc aliases for common tasks
alias updates='sudo apt update && sudo apt upgrade'
alias logview='sudo less /var/log/syslog'

Consider implementing:

  • SSH multiplexing to maintain connections
  • Ansible for bulk administration
  • RBAC policies for specific admin rights

Managing root access across multiple system administrators presents unique challenges in Linux server administration. The traditional approach of sharing root SSH keys introduces significant security and accountability gaps, while alternatives like sudo introduce operational friction.

# Typical authorized_keys setup (not recommended)
$ sudo cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3Nza... admin1@workstation
ssh-rsa AAAAB3Nza... admin2@workstation
ssh-rsa AAAAB3Nza... admin3@workstation

While convenient, this method completely breaks audit trails. All actions appear as "root" regardless of who executed them. The only way to track changes is through extensive log correlation:

# Attempting to track activity via system logs
$ journalctl -u sshd --since "1 hour ago" | grep root
Jan 01 12:00:00 server1 sshd[1234]: Accepted publickey for root from 10.0.0.1

The sudo approach provides proper accountability but introduces workflow challenges:

# Sample sudoers configuration
%admin ALL=(ALL) NOPASSWD: ALL
Defaults logfile=/var/log/sudo.log
Defaults log_input, log_output

For SSH agent forwarding, consider using ForwardAgent yes in your SSH config while being aware of the security implications:

~/.ssh/config:
Host *.example.com
    ForwardAgent yes
    User adminuser

This unconventional approach maintains root privileges while allowing individual accountability:

# /etc/passwd excerpt
admin1:x:0:0:Admin 1:/root:/bin/bash
admin2:x:0:0:Admin 2:/root:/bin/bash
admin3:x:0:0:Admin 3:/root:/bin/bash

To implement proper logging:

# /etc/rsyslog.d/10-admin-tracking.conf
if $syslogtag contains 'admin1' then /var/log/admin1.log
if $syslogtag contains 'admin2' then /var/log/admin2.log

For teams managing dozens of servers, consider tools like:

  • Teleport for SSH certificate-based access
  • FreeIPA for centralized authentication
  • Ansible Vault for secure credential management
# Example Teleport configuration snippet
kind: role
metadata:
  name: admin
spec:
  options:
    max_session_ttl: 8h0m0s
  allow:
    logins: [root]
    node_labels:
      '*': '*'

For most teams, we recommend a hybrid approach:

  1. Individual user accounts with SSH keys
  2. Restrictive sudo policies (avoid NOPASSWD where possible)
  3. Centralized logging with tools like ELK or Graylog
  4. Regular access reviews and key rotation
# Example secure sudo configuration
Cmnd_Alias ADMIN_CMDS = /usr/bin/systemctl, /usr/bin/apt
%admins ALL=(ALL) ADMIN_CMDS
Defaults:%admins !authenticate
Defaults log_host, log_year, logfile=/var/log/sudo.log