Arusha Project
Sidai (policy)
Sidai how-to, etc.
 
How to..., etc.
User environment
Disk configuration
OS installs
HPUX11 install
Solaris install
Red Hat Linux install
post OS-install
Pre OS-reinstall
ARK boot
user accounts
Compiling/Linking
Distributing password files
Package proto-hosts
Logfile management
Log analysis
Scripting
Version wrapper
Version wrapper
Backups/archiving
Backups/tapeless: rationale
Backups/tapeless: design
Hostname change
Magic keystrokes
Booting tricks
Dead machine!
Root passwords
Removable media
ClearCase install
ClearCase admin
Logical Volume tricks
HP Mirror/UX
Mailman
VNC
 
Hosted by
SourceForge.net Logo

Sidai team: Distributing password and shadow files

Two Sidai packages support creating and distributing password and shadow files:

  • passwd-dist-config builds a configuration file.
  • passwd-dist installs the password distribution utility software.

Strategy

Some server--possibly the Ark gold server--holds the master copy of /etc/passwd and /etc/shadow. All regular users are listed here and all password changes must be performed here.

The master server periodically runs a job that extracts regular user records and merges them with system-specific records for system accounts like root, bin, and lp. This job creates passwd and shadow files for each host.

Other hosts run periodic jobs to "suck" from the master server the generated passwd and shadow files. These new files replace the previous /etc/passwd and /etc/shadow files.

Cookbook setup

  1. Copy the sample passwd-dist-config.xml and passwd-dist.xml files from verilab2/package to your team's package directory.
  2. Check the parameters in the <compile> section of passwd-dist-config.xml.
    • Change the MASTER parameter to the name of your master ark server.
    • Check the paths in the other parameters. For example, Verilab installed rsync at /our/bin/rsync, but your team may have installed it somewhere else.
  3. Check the crontab fragments in passwd-dist-config.xml. Verilab generates new password files every ten minutes. Each host sucks its generated password file five minutes after it is generated. You may prefer a more or less frequent schedule. Also, check the command paths here.
  4. Consider the do_freeze parameter in passwd-dist.xml. When set to it's default value, yes, Ark will generate a "frozen" executable containing the Python code. This is more secure than relying on each host's locally installed Python libraries. Unfortunately, freezing is prone to running with the wrong libraries on Linux, which comes with Python preinstalled.
  5. Update root's crontab schedule: ark-invasive sys-cron-config
    Since passwd-dist-config.xml contains a crontab fragment with a dependencies on itself and passwd-dist.xml, these two packages will be revealed.

System passwd entries

System users, like root, bin, and lp, vary somewhat among different flavors of Unix. Two fields describe the passwd and shadow entries for these users: <sys-users-passwd> and <sys-users-shadow>. Most hosts inherit these fields from some operating system specific prototype (e.g., sparc-solaris8.xml).

ToDo: Explain how to add a system user to a single host or group of hosts: the Apache user need only appear on web servers.

Configuration

ToDo: Explain passwd-dist-config.xml parameters.

© The Arusha Project, 2000-2003; team: sidai; c/o partain@users.sourceforge.net; revision 1.1, 2003-06-09.