[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] rsyncing passwords



On Wed, 29 Jan 2003, Shawn Powers wrote:

> Now for a seemingly silly question...   If I use rsync to keep the 
> passwords matching, which I know at least a few of you are doing, what 

Here's a script fragment with some light error checcking

LIST="/etc/passwd /etc/shadow /etc/group /etc/gshadow"
REMOTE="able.bost.lan baker.host.lan"
WORKING="/etc/working/"
for i in $REMOTE ; do
	ssh $i mkdir $WORKING > /dev/null 2>&1
	for j in $LIST ; do
		[ -z $j ] && {
			echo "ERROR: null size $j -- bailing" 1>&2
			exit 1
			}
		scp $j $i:$WORKING
	done
#		this is separated so optional additional 
#		sanity checking may be done
#		-- pwck is your friend
	ssh $i cp $WORKING/* /etc
done

This shell one liner is useful to increment your knowledge:

  for i in `rpm -ql shadow-utils | grep man ` ; do man $i ; done

Use centrally keyed root ssh access, perhaps with using 
ssh-agent to hold an un-locked pass-phrased key. 

It is quite painful to lose the password file, somewhat less
to lose the shadow file on a remote -- be sure to do some more
error checking.  This code ignores the customary safety locks
of vipw and so forth.  

At an ISP I worked with back in '94 <?>, some Perl4 code was
put into production by a line coder (without being run by
paranoid me for a code review) for the billing department
which was insufficiently paranoid, and I had the pleasure of
booting into single user mode to fix things.

Recall that as you add packages which add users and group
entries on the remote hosts, their password file and group
entried added will be overwritten regularly.  About the only
good solution is to add the package at the master host, and
only at the satellite host AFTER the changes (and any added
userid's and groupid's) have been propigated.

-- 
end
======================================+
 .-- -... ---.. ... -.- -.--          |
 Copyright (C) 2003 R P Herrold       | Owl River Company
 herrold owlriver com  NIC: RPH5 (US) | "The World is Open to Linux (tm)"
   My words are not deathless prose,  | Open Source LINUX solutions ...
      but they are mine.              | info owlriver com -- Columbus, OH
 gpg --keyserver pgp.mit.edu --recv-key 0x7BFB98B9 
 gpg --list-keys 2> /dev/null | grep 7BFB98B9





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]