Password File Sync Script

Password File Sync Script

[Sashikanth Madduri]

Hi,
     I am writing a script to update password files from the server to
all the clients in the network.

I will be copying the following files periodically to all the clients:

/etc/passwd
/etc/shadow
/etc/group

scp is one option to do the remote copying. But, root ssh is disabled
in the clients and I cannot use scp. Is there any alternative
way(other than scp) to do this. Do I have to enable root ssh inorder
to do a remote copy of the above files. Please help.

PS: I am not using NIS for password management.

Thank you.

Sashikanth Madduri.

Re: Password File Sync Script

[Scott Taylor]

On Mon, June 19, 2006 13:44, Sashikanth Madduri wrote:
> Hi,
>      I am writing a script to update password files from the server to
> all the clients in the network.
>
> I will be copying the following files periodically to all the clients:
>
> /etc/passwd
> /etc/shadow
> /etc/group
>
> scp is one option to do the remote copying. But, root ssh is disabled
> in the clients and I cannot use scp. Is there any alternative
> way(other than scp) to do this. Do I have to enable root ssh inorder
> to do a remote copy of the above files. Please help.
>
> PS: I am not using NIS for password management.

That's crazy, not to mention dangerous.  If you are at a point where you
need a script to update your passwords, perhaps you should consider using
NIS or something.

That said, you could always enable root ssh and just disable it again.

--
Scott

Re: Password File Sync Script

[Adrian C.]

Sashikanth Madduri wrote:

> I will be copying the following files periodically to all the clients:
> 
> /etc/passwd
> /etc/shadow
> /etc/group

Wait. Why in the world would you want to do that?

Re: Password File Sync Script

[Matt Hemingway]

What if you went the other way?  Instead of pushing the files, the clients "grab" them.  Would allowing root to ssh in only to the "main" server be a problem?

-Matt

On Mon, 19 Jun 2006 13:44:01 -0700
"Sashikanth Madduri" <mail.to.sashi@gmail.com> wrote:

> Hi,
>      I am writing a script to update password files from the server to
> all the clients in the network.
> 
> I will be copying the following files periodically to all the clients:
> 
> /etc/passwd
> /etc/shadow
> /etc/group
> 
> scp is one option to do the remote copying. But, root ssh is disabled
> in the clients and I cannot use scp. Is there any alternative
> way(other than scp) to do this. Do I have to enable root ssh inorder
> to do a remote copy of the above files. Please help.
> 
> PS: I am not using NIS for password management.
> 
> Thank you.
> 
> Sashikanth Madduri.
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Password File Sync Script

[Sashikanth Madduri]

I am not using NIS because, it is insecure and password information is
passed over the network unencrypted.

So, I am thinking of copying the password files in an ssh tunnel(using scp).

Is NIS really insecure?
What is the best way to manage user accounts in a network if security
is a concern?


On 6/19/06, Scott Taylor <scott@dctchambers.com> wrote:
>
> On Mon, June 19, 2006 13:44, Sashikanth Madduri wrote:
> > Hi,
> >      I am writing a script to update password files from the server to
> > all the clients in the network.
> >
> > I will be copying the following files periodically to all the clients:
> >
> > /etc/passwd
> > /etc/shadow
> > /etc/group
> >
> > scp is one option to do the remote copying. But, root ssh is disabled
> > in the clients and I cannot use scp. Is there any alternative
> > way(other than scp) to do this. Do I have to enable root ssh inorder
> > to do a remote copy of the above files. Please help.
> >
> > PS: I am not using NIS for password management.
>
> That's crazy, not to mention dangerous.  If you are at a point where you
> need a script to update your passwords, perhaps you should consider using
> NIS or something.
>
> That said, you could always enable root ssh and just disable it again.
>
> --
> Scott
>
>

Re: Password File Sync Script

[Adrian C.]

Sashikanth Madduri wrote:
> I am not using NIS because, it is insecure and password information is
> passed over the network unencrypted.
> 
> So, I am thinking of copying the password files in an ssh tunnel(using 
> scp).
> 
> Is NIS really insecure?
> What is the best way to manage user accounts in a network if security
> is a concern?


Kerberos/OpenLDAP would be a good start.

--Adrian.

Re: Password File Sync Script

[urgrue]

On 06/19/2006 11:44:01 PM, Sashikanth Madduri wrote:
> Hi,
>     I am writing a script to update password files from the server to
> all the clients in the network.
> 
> I will be copying the following files periodically to all the clients:
> 
> /etc/passwd
> /etc/shadow
> /etc/group


In general ldap is probably a better idea. Fedora Directory Server is  
free and very easy to setup.

However, if for some reason that isnt an option:
-have the clients fetch the files instead
-have the server put the files in some non-root user's homedir, from  
where a script running on the client verifies them and copies them into  
place

Security-wise ldap is a better option, although I don't find these  
scripts to be as bad as they seem.

Re: Password File Sync Script

[Sashikanth Madduri]

Hi,
    How can I make sure that all the (human) users that are added to
the system have uids > 500. What is the configuration file for doing
that.

Thank You.

Sashi.

Re: Password File Sync Script

[Sashikanth Madduri]

Sorry for the previous mail. I found the answer. The file is
/etc/login.defs (useradd uses those values as defaults).

Thank You.
Sashi.



On 6/20/06, Sashikanth Madduri <mail.to.sashi@gmail.com> wrote:
> Hi,
>     How can I make sure that all the (human) users that are added to
> the system have uids > 500. What is the configuration file for doing
> that.
>
> Thank You.
>
> Sashi.
>