Managed administrator accounts for Linux

[ddribeiro]

• customer-rialto: Gong snippet: https://us-65885.app.gong.io/call?id=3976039750772361509&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1787%2C%22to%22%3A1846%7D%5D
• @noahtalerman: User requested this because they want a way to manage local admin accounts on Linux, with randomized passwords for break-glass scenarios or IT support.
  • @noahtalerman: In the interim they could run a custom scripts to create accounts and generate passwords, but those don’t allow secure retrieval or audit trails when passwords are accessed.
  • @noahtalerman: Eventually Fleet could automate account creation, password rotation, and secure password storage—with view access triggering audit logs—so that help desk and IT teams can safely use these accounts without introducing risk.
• @allenhouchins: Here's an open source solution: https://github.com/schorschii/LAPS4LINUX

---

[noahtalerman]

Problem

As an IT administrator managing Linux hosts, I want to create an administrator account with a randomized per-host password to use in "break glass" support scenarios. I’d like Fleet to securely store the password for each host and produce an audit event whenever somebody views it.
Additionally, I'd like Fleet to support automatic rotation of the password for this account.

What have you tried?

I've looked for various scripting solutions, which can handle the creation of the local administrator account with a randomized password. However, to retrieve the password, I would need to echo it to the script output, which makes it available in plaintext, and viewing it is not auditable.

Potential solutions

Fleet should have built-in support for generating and rotating the password to a managed administrator account.

What is the expected workflow as a result of your proposal?

1. An IT admin would enable the feature in a Fleet team to generate managed administrator accounts on their Linux hosts.
2. Fleet would create the managed administrator account for all hosts in that team and store the unique, per-host password securely in the host record.
3. A help desk employee would need to remote troubleshoot via SSH on the host.
4. They would go to the host's details page in Fleet to retrieve the password for the host. The help desk employee would view the password, which would produce an audit event in Fleet. The employee would SSH into the computer using the password and perform the required troubleshooting.
5. After a specified period of time, Fleet would rotate the password on all the hosts.