[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Ways to manage passwd/shadow files?
From: |
Dan Gilbert |
Subject: |
RE: Ways to manage passwd/shadow files? |
Date: |
Thu, 10 Mar 2005 14:51:18 -0800 |
These are myriad different Unices, correct?
Certainly in the Linux world (tm) you could have cfengine exec
/usr/sbin/useradd and then follow with "/usr/sbin/usermod -p '<MD5hash from
master shadow file not located anywhere public>' username". That works nicely
in the kickstarts and RPMs I've used/built.
As to other beasties like Slo-laris, well, I have always had to paste the
shadow and passwd file into the Jumpstarted boxen and then run pwconv to ensure
everything's in sync, so I admit I've got nothing for you there. If you
changed the PAM to use MD5 instead of DES, then you could simply cat the lines
on the end of the shadow files and then pwconv. Since nobody's broken MD5 in
the last few minutes AFAIK, it might be safe to add accounts this way.....
However, if there are a lot of boxen to manage, well, the same amount of effort
would probably get you LDAP as monkeying around with PAM settings.
YMMV and other disclaimers apply.
Dan
Dan Gilbert, GCIH, MCSE, CCA
Sr. Systems Engineer
Advanced iTV Systems/Production Operations
Digeo, Inc.
dan.gilbert@digeo.com
-----Original Message-----
From: help-cfengine-bounces+dan.gilbert=digeo.com@gnu.org
[mailto:help-cfengine-bounces+dan.gilbert=digeo.com@gnu.org] On Behalf Of Spam
Collector
Sent: Thursday, March 10, 2005 2:32 PM
To: help-cfengine@gnu.org
Subject: Re: Ways to manage passwd/shadow files?
On 2005-03-10, Atom Powers <APowers@PyramidBrew.com> wrote:
>>What's the best way to use cfengine to manage /etc/passwd and
>>/etc/shadow?
> Ditto.
>
> I think hash comments *are* allowed in the passwd file, at least in
> FreeBSD they are. But there are other issues as well.
I didn't see any reference to this in the man pages, but I will test it to see
what happens on my platforms.
> - passwd and shadow (or master.passwd) need to be exactly the same
> except that the shadow file has the password hash.
> - The shadow file can not be built from the passwd file, but the
> passwd file could be built from the shadow file.
> - But keeping a shadow file available to cfengine could compromise the
> security of the file; the source file or the temporary file made
> during the copy.
True, you would need to ensure that all copies (and their containing
directories) had correct permissions so only root could see them, and any
transfers between hosts would need to be encrypted.
> - I don't know that cfengine has the ability to modify the password
> files safely. Modifying either password file without using vipw or the
> like probably won't update both the passwd and shadow files, which is
> absolutely required.
On the platforms I'm familiar with, the worst I've had happen from mis-matched
passwd and shadow files is that the non-matching accounts don't work (which
would be bad if one of them was root). It would probably be a good idea to run
pwck after an edit to make sure they still match, though.
I already use cfengine to add non-login accounts by editing the passwd and
shadow files directly, I've just not found a method I'm comfortable with for
passing encrypted passwords around in cfengine to use it for creating or
modifying login accounts.
Frank
>
> So, if it is possible to ensure the security of the shadow file while
> cfengine is running, it should be possible to push out a shadow file
> and then run vipw or the link to create the passwd file. How can we
> guarantee the security of the shadow file?
>
> ----
> Perfection is just a word I use occasionally with mustard.
>
> Atom Powers
> Systems Administrator
> Pyramid Breweries Inc.
> 206.682.8322 x251