At one time we did write a program that when executed by a user, uses
rsh to remotely log in to each box and change the password, specifying
an old and new password, and whether the password is already expired
or not (the prompts on login are different in that case). It's very
clunky and somewhat awkward to run.
I'm considering building a better system to do this, but I think I
should look to see whether Solaris and/or Linux provides a better way
to do this sort of thing. Is there some component that might make
something like this easier to do?
Is there a possibility to build a centralised account management
system like LDAP?
If yes I would strongly suggest to migrate it the environment to such
a service. If not, there is an other option you can go.
You can build a database with all registered accounts and manage them
over this way. If this is use, setup a job which synchronise the local
password with the one from the database. You can do this on a daily
base or if there are too much servers, just run it once in a week.
For the synchronisation, are several tools in the web available, which
allows you do-do that. My favorite one is rdist ( http://www.magnicomp.com/rdist/
) but there are many more.
Changing how passwords are stored on each box is not an option. I
can't change that. My only options are optimizing the process of
changing the password on each box.
NIS? Kerberos?
> I'm considering building a better system to do this, but I think I
> should look to see whether Solaris and/or Linux provides a better way
> to do this sort of thing. Is there some component that might make
> something like this easier to do?
The "standard" answer for this kind of thing is "expect" (expect.nist.gov).
But shurely you already knew that?
An even better alternative is probably to use ssh-agent.
Cheers,
--
In order to understand recursion you must first understand recursion.
Remove /-nsp/ for email.
beside serveral scripts I have seen some commercial solutions, which are
nevertheless worth to have a look at and explore how there works:
- BMC Control-SA (now Identity Suite)
- Symark Powerpassword
- Adventnet Passwordmanager (the cheapest and smallest Solution)
all of them quit expensive, but with thousands of boxes you maybe can
spend some money ;-). For the first two you must ask for evaluation license.
If the boxes mostly homogenous I would also recommend LDAP for Password
sync.
Wolfgang
If you must have each individual machine authenticate users against
the local passwd/shadow files rather than use a central database like
LDAP or NIS, then your best still involves a central repository.
You'll just need something that securely distributes the passwd/shadow
files to the individual machines. (not to mention sending only the
usernames/passwords appropriate to each machine)
In the past people have often used cfengine to do this. Cfengine is
a general-purpose tool for distributing config files among a number
of networked computers, but it can work fine for passwd/shadow files
(which are, after all, config files). Some shortcomings in cfengine
have come to light and people are switching to other programs like
Puppet or Bundle.
Puppet: http://www.reductivelabs.com/
Bundle: http://www.eyrie.org/~eagle/software/bundle/
-Greg
--
Do NOT reply via e-mail.
Reply in the newsgroup.