[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Ways to manage passwd/shadow files?
|
From: |
Spam Collector |
|
Subject: |
Re: Ways to manage passwd/shadow files? |
|
Date: |
Thu, 10 Mar 2005 22:32:17 -0000 |
|
User-agent: |
slrn/0.9.8.1 (Debian) |
On 2005-03-10, Atom Powers <APowers@PyramidBrew.com> wrote:
>>What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
> Ditto.
>
> I think hash comments *are* allowed in the passwd file, at least in FreeBSD
> they are. But there are other issues as well.
I didn't see any reference to this in the man pages, but I will test it to
see what happens on my platforms.
> - passwd and shadow (or master.passwd) need to be exactly the same except
> that the shadow file has the password hash.
> - The shadow file can not be built from the passwd file, but the passwd file
> could be built from the shadow file.
> - But keeping a shadow file available to cfengine could compromise the
> security of the file; the source file or the temporary file made during the
> copy.
True, you would need to ensure that all copies (and their containing
directories) had correct permissions so only root could see them, and
any transfers between hosts would need to be encrypted.
> - I don't know that cfengine has the ability to modify the password files
> safely. Modifying either password file without using vipw or the like
> probably won't update both the passwd and shadow files, which is absolutely
> required.
On the platforms I'm familiar with, the worst I've had happen from
mis-matched passwd and shadow files is that the non-matching accounts
don't work (which would be bad if one of them was root). It would
probably be a good idea to run pwck after an edit to make sure they
still match, though.
I already use cfengine to add non-login accounts by editing the
passwd and shadow files directly, I've just not found a method I'm
comfortable with for passing encrypted passwords around in cfengine
to use it for creating or modifying login accounts.
Frank
>
> So, if it is possible to ensure the security of the shadow file while
> cfengine is running, it should be possible to push out a shadow file and then
> run vipw or the link to create the passwd file. How can we guarantee the
> security of the shadow file?
>
> ----
> Perfection is just a word I use occasionally with mustard.
>
> Atom Powers
> Systems Administrator
> Pyramid Breweries Inc.
> 206.682.8322 x251
> -----Original Message-----
> From: help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org
> [mailto:help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org] On Behalf Of
> Spam Collector
> Sent: Thursday, March 10, 2005 11:44 AM
> To: help-cfengine@gnu.org
> Subject: Ways to manage passwd/shadow files?
>
> What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
> Managing the entire file as a copy would be easy enough, but how can you just
> manage a chunk of it? Using edifiles to control a block would have the
> desired result, except that AFAIK you can't have comment lines in those files
> (the ### BEGIN and ### END lines I use to manage blocks in other config
> files). Also, I wouldn't want my shadow passwords to be copied everywhere in
> the config.
> I suppose I could use two bogus usernames to define my block and use some
> of the *File* editfile commands in conjunction with a copy, but that just
> seems like a hack. Is there a better way to accomplish this?
>
> Frank
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://lists.gnu.org/mailman/listinfo/help-cfengine
>
>
>