help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ways to manage passwd/shadow files?

From: Atom Powers
Subject: RE: Ways to manage passwd/shadow files?
Date: Thu, 10 Mar 2005 15:24:00 -0800 
 
I think anybody in their right mind would use LDAP or similar for user auth
on more than a few systems. But there are good reasons to have local auth as
well. 
For me this includes a non-root logon in case LDAP isn't working, I would
like to be able to change the password in one place and have it propagate to
every system. I need to change all passwords every three months or so,
cfengine seems to be the right tool to simplify this task. It would also be
nice to be have my /sbin/nologin accounts the same on all systems, in case
they need to pass data to each other.
A sequence of 'pw' commands would most likely end up harder to maintain than
manually changing the passwords.

----
Perfection is just a word I use occasionally with mustard.

Atom Powers
Systems Administrator
Pyramid Breweries Inc.
206.682.8322 x251
-----Original Message-----
From: help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org
[mailto:help-cfengine-bounces+apowers=pyramidbrew.com@gnu.org] On Behalf Of
Dan Gilbert
Sent: Thursday, March 10, 2005 2:51 PM
To: help-cfengine@gnu.org
Subject: RE: Ways to manage passwd/shadow files?

These are myriad different Unices, correct?

Certainly in the Linux world (tm) you could have cfengine exec
/usr/sbin/useradd and then follow with "/usr/sbin/usermod -p '<MD5hash from
master shadow file not located anywhere public>' username".  That works
nicely in the kickstarts and RPMs I've used/built.  

As to other beasties like Slo-laris, well, I have always had to paste the
shadow and passwd file into the Jumpstarted boxen and then run pwconv to
ensure everything's in sync, so I admit I've got nothing for you there.  If
you changed the PAM to use MD5 instead of DES, then you could simply cat the
lines on the end of the shadow files and then pwconv.  Since nobody's broken
MD5 in the last few minutes AFAIK, it might be safe to add accounts this
way.....

However, if there are a lot of boxen to manage, well, the same amount of
effort would probably get you LDAP as monkeying around with PAM settings.

YMMV and other disclaimers apply.

Dan

Dan Gilbert, GCIH, MCSE, CCA
Sr. Systems Engineer
Advanced iTV Systems/Production Operations Digeo, Inc.
dan.gilbert@digeo.com
 

-----Original Message-----
From: help-cfengine-bounces+dan.gilbert=digeo.com@gnu.org
[mailto:help-cfengine-bounces+dan.gilbert=digeo.com@gnu.org] On Behalf Of
Spam Collector
Sent: Thursday, March 10, 2005 2:32 PM
To: help-cfengine@gnu.org
Subject: Re: Ways to manage passwd/shadow files?


On 2005-03-10, Atom Powers <APowers@PyramidBrew.com> wrote:
>>What's the best way to use cfengine to manage /etc/passwd and 
>>/etc/shadow?
> Ditto.
>
> I think hash comments *are* allowed in the passwd file, at least in 
> FreeBSD they are. But there are other issues as well.

I didn't see any reference to this in the man pages, but I will test it to
see what happens on my platforms.

> - passwd and shadow (or master.passwd) need to be exactly the same 
> except that the shadow file has the password hash.
> - The shadow file can not be built from the passwd file, but the 
> passwd file could be built from the shadow file.
> - But keeping a shadow file available to cfengine could compromise the 
> security of the file; the source file or the temporary file made 
> during the copy.

True, you would need to ensure that all copies (and their containing
directories) had correct permissions so only root could see them, and any
transfers between hosts would need to be encrypted.

> - I don't know that cfengine has the ability to modify the password 
> files safely. Modifying either password file without using vipw or the 
> like probably won't update both the passwd and shadow files, which is 
> absolutely required.

On the platforms I'm familiar with, the worst I've had happen from
mis-matched passwd and shadow files is that the non-matching accounts don't
work (which would be bad if one of them was root).  It would probably be a
good idea to run pwck after an edit to make sure they still match, though.
  I already use cfengine to add non-login accounts by editing the passwd and
shadow files directly, I've just not found a method I'm comfortable with for
passing encrypted passwords around in cfengine to use it for creating or
modifying login accounts.
  
Frank

>
> So, if it is possible to ensure the security of the shadow file while 
> cfengine is running, it should be possible to push out a shadow file 
> and then run vipw or the link to create the passwd file. How can we 
> guarantee the security of the shadow file?
>
> ----
> Perfection is just a word I use occasionally with mustard.
>
> Atom Powers
> Systems Administrator
> Pyramid Breweries Inc.
> 206.682.8322 x251




_______________________________________________
Help-cfengine mailing list
Help-cfengine@gnu.org
http://lists.gnu.org/mailman/listinfo/help-cfengine
reply via email to
[Prev in Thread] Current Thread [Next in Thread]