Yes. Most of them were east-to-find solutions on the web, or someone else giving me access. “Can you reset my password on Blah?” “Try TempP@ass123.” “I’m in, changed password. Thanks.”
A few times when I am really acting like a Senior Linux Administrator is figuring out a kludge or back door nobody had thought of. Recently, a client told me that the former admin had left and didn’t leave the password to over 300 systems (it turns out he did, the client was clueless, but I didn’t know that in the moment). I found every system the admin had access to, and looked for a dev box where he had access but I could take down during production hours. I took it down, booted into init with /bin/bash, changed root password, brought it back up. Then I checked his home directory to see what public keys he had. Based on that, I checked to see if there were any private keys on the bastion systems that matched as a pair (using ssh-keygen -l -f on each pair to see if the signatures matched). They checked which pair had no password. That was pretty quick because I quickly discovered a majority of these cloud systems also had an ec2-user that could escalate to root via private/public key pairs (it is supposed to be removed for security reasons, but wasn’t). Within a few hours, I had full access back to all their systems. Without taking down production.
Yes. Most of them were east-to-find solutions on the web, or someone else giving me access. “Can you reset my password on Blah?” “Try TempP@ass123.” “I’m in, changed password. Thanks.”
A few times when I am really acting like a Senior Linux Administrator is figuring out a kludge or back door nobody had thought of. Recently, a client told me that the former admin had left and didn’t leave the password to over 300 systems (it turns out he did, the client was clueless, but I didn’t know that in the moment). I found every system the admin had access to, and looked for a dev box where he had access but I could take down during production hours. I took it down, booted into init with /bin/bash, changed root password, brought it back up. Then I checked his home directory to see what public keys he had. Based on that, I checked to see if there were any private keys on the bastion systems that matched as a pair (using ssh-keygen -l -f on each pair to see if the signatures matched). They checked which pair had no password. That was pretty quick because I quickly discovered a majority of these cloud systems also had an ec2-user that could escalate to root via private/public key pairs (it is supposed to be removed for security reasons, but wasn’t). Within a few hours, I had full access back to all their systems. Without taking down production.