shadow password file copying, multi-platform
Alan J Rosenthal
passwords on a machine which is the /etc/{passwd,shadow} "master" for a dozen
unix machines of different flavours -- every day the machines all copy the
old-style /etc/passwd from the master, then run pwconv. If the master now
has shadow passwords, the clients have to copy all the information somehow,
it's no longer all in /etc/passwd.
I started on a simple C program to produce a combined old-style passwd file so
that the clients could replace the "rcp master:/etc/passwd /etc/passwd.new"
with "rsh master mergepasswd >/etc/passwd.new", but then it occurred to me
that it's rather silly to put the data together (passwd+shadow -> old-style
passwd) just to take it apart again (pwconv), especially since the putting
together involves reading the whole shadow file and using qsort and bsearch.
So I'm considering just copying both /etc/passwd and /etc/shadow (into new
files and rename, of course). As far as I can tell, the semantics of the
fields of the shadow file are the same according to the man pages on all
platforms involved (gnu/linux, solaris 2.{3,5,7}, and irix 5.3 and 6.2).
Does anyone reading this want to advise me against this idea, i.e. that I
should make the local pwconv programs generate the shadow password by doing
my plan 'A', merging the passwd and shadow files on the master to produce
an old-style /etc/passwd as source? Or that I should delete the contents
of all the fields in /etc/shadow after the first two, or set them to some
particular constant text?
A wrinkle is that some machines don't have all the accounts which the
master has. I think it's ok to copy the whole shadow password file, with
some lines being unused? (experiments suggest that this works) Otherwise I
can just use the current sed command pipeline which kills the inappropriate
lines on /etc/shadow as well as /etc/passwd (it is now used on the copied
/etc/passwd before the pwconv).
thanks for any words of wisdom,
ajr
John Hobson
John Hobson
peter@icke-reklam.manet.dot..nu
> Greetings. I'm dealing with a situation where we're instituting shadow
> passwords on a machine which is the /etc/{passwd,shadow} "master" for a dozen
> unix machines of different flavours -- every day the machines all copy the
> old-style /etc/passwd from the master, then run pwconv. If the master now
> has shadow passwords, the clients have to copy all the information somehow,
> it's no longer all in /etc/passwd.
Ever heard of NIS ? Being forced to copy passwords files as root
could very easily create possibilyties for intruders to use the same
channels for intrution. Using NIS (which by no means is a "secure product")
has at least known risks, and is possible to defend in "closed" areas.
> I started on a simple C program to produce a combined old-style passwd file so
> that the clients could replace the "rcp master:/etc/passwd /etc/passwd.new"
> with "rsh master mergepasswd >/etc/passwd.new", but then it occurred to me
> that it's rather silly to put the data together (passwd+shadow -> old-style
> passwd) just to take it apart again (pwconv), especially since the putting
> together involves reading the whole shadow file and using qsort and bsearch.
> So I'm considering just copying both /etc/passwd and /etc/shadow (into new
> files and rename, of course). As far as I can tell, the semantics of the
> fields of the shadow file are the same according to the man pages on all
> platforms involved (gnu/linux, solaris 2.{3,5,7}, and irix 5.3 and 6.2).
> Does anyone reading this want to advise me against this idea, i.e. that I
> should make the local pwconv programs generate the shadow password by doing
> my plan 'A', merging the passwd and shadow files on the master to produce
> an old-style /etc/passwd as source? Or that I should delete the contents
> of all the fields in /etc/shadow after the first two, or set them to some
> particular constant text?
> A wrinkle is that some machines don't have all the accounts which the
> master has. I think it's ok to copy the whole shadow password file, with
> some lines being unused? (experiments suggest that this works) Otherwise I
> can just use the current sed command pipeline which kills the inappropriate
> lines on /etc/shadow as well as /etc/passwd (it is now used on the copied
> /etc/passwd before the pwconv).
> thanks for any words of wisdom,
> ajr
--
--
Peter Håkanson
Manet Networking (At the Riverside of Gothenburg, home of Volvo)
Sorry about my e-mail address, but i'm trying to keep spam out.
echo "peter (at) manet (dot) nu" | sed "s/(at)/@/g " | sed "s/(dot)/\./g"|sed "s/ //g"
Timothy J. Lee
|So I'm considering just copying both /etc/passwd and /etc/shadow (into new
|files and rename, of course). As far as I can tell, the semantics of the
|fields of the shadow file are the same according to the man pages on all
|platforms involved (gnu/linux, solaris 2.{3,5,7}, and irix 5.3 and 6.2).
|Does anyone reading this want to advise me against this idea, i.e. that I
|should make the local pwconv programs generate the shadow password by doing
|my plan 'A', merging the passwd and shadow files on the master to produce
|an old-style /etc/passwd as source?
If you ever get an OS that uses a different form of shadow
passwording, such as any 4.4BSD derived OS, you'll have to
take into account the differences in the file format.
--
------------------------------------------------------------------------
Timothy J. Lee timlee@
Unsolicited bulk or commercial email is not welcome. netcom.com
No warranty of any kind is provided with this message.