[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Ways to manage passwd/shadow files?
From: |
Tim Nelson |
Subject: |
RE: Ways to manage passwd/shadow files? |
Date: |
Fri, 11 Mar 2005 10:48:39 +1100 (EST) |
On Thu, 10 Mar 2005, Atom Powers wrote:
What's the best way to use cfengine to manage /etc/passwd and /etc/shadow?
Ditto.
LDAP+nsswitch? :).
I think hash comments *are* allowed in the passwd file, at least in FreeBSD
they are. But there are other issues as well.
They were on Linux last time I tried it (maybe 3 years ago).
- passwd and shadow (or master.passwd) need to be exactly the same except
that the shadow file has the password hash.
- The shadow file can not be built from the passwd file, but the passwd file
could be built from the shadow file.
Both wrong (at least on Redhat, and probably on others too).
passwd has a passwd field that is simply an 'x' on systems that use the
shadow stuff (as you implied), but the shadow file is completely different
in format. From "man 5 shadow" on my Fedora box, the shadow fields are:
- Login name
- Encrypted password
- Days since Jan 1, 1970 that password was last changed
- Days before password may be changed
- Days after which password must be changed
- Days before password is to expire that user is warned
- Days after password expires that account is disabled
- Days since Jan 1, 1970 that account is disabled
- A reserved field
So as you can see, the only fields it shares with passwd are the
login name, and historically, the encrypted password.
- But keeping a shadow file available to cfengine could compromise the
security of the file; the source file or the temporary file made during the
copy.
My thoughts exactly.
- I don't know that cfengine has the ability to modify the password files
safely. Modifying either password file without using vipw or the like
probably won't update both the passwd and shadow files, which is absolutely
required.
cat foo >> /etc/passwd
cat foo >> /etc/shadow
Not that I think it's a good idea, though. I always used a
combination of cfengine's shellcommands, and adduser/usermod.
So, if it is possible to ensure the security of the shadow file while
cfengine is running, it should be possible to push out a shadow file and then
run vipw or the link to create the passwd file. How can we guarantee the
security of the shadow file?
Not a good idea. If I had to pick one thing not to overwrite from
central, passwd/shadow would be it. cfperl has some user modification
commands; you may like this functionality. Alternatively, you could write
a method that performs various operations on users, eg. create (if not
existing), delete, modify, and the like, and then call them from your
other cfengine scripts. If you do that, we'd be interested in seeing
them.
:)
--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne,
Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: tim.nelson@webalive.biz
http://www.webalive.biz/
"Your Business, Your Web, Your Control"