HPE Community
Operating System - HP-UX
1833982 Members
1878 Online
110063 Solutions
New Discussion

Re: Password Synchronization

 
Smirjit Singh
Advisor

‎08-22-2001 10:28 PM

‎08-22-2001 10:28 PM

Password Synchronization

Hi All,

We have just setup MC/Service guard cluster with 4 node. There will be lot of user who will use same login name in different node. We want to implement password synchronization for this cluster. So if any user update his / her password in node A then that same password would be synchronized in node B, C , D. Is it possible ? If so how ?

Sandip
Knowledge is only most valuable things which can't buy.
0 Kudos
Reply
11 REPLIES 11
Magdi KAMAL
Respected Contributor

‎08-22-2001 10:51 PM

‎08-22-2001 10:51 PM

Re: Password Synchronization

Hi Sandip,

Up to me, there is no automatic way to synchronize /etc/passwd accross nodes ( even with MC / SG.

If you implement a mecanism of remote copy in conjunction with crontab jobs, even this could not solve the problem and can result in loss of new passwords changes.

Consider the worest example as follow :
nodes A B C D
/etc/passwd on A had changed at 10:30
/etc/passwd on B had Changed at 10:30
/etc/passwd on C had Changed at 10:30
/etc/passwd on D had Changed at 10:30

In this case, and due to concurrent process changing passwords, you need perhaps to develop a C ( or C++ ) program with a synchronizing mechanism (like semaphore) and the program role is to administer the password file on all nodes .

Steps:
1. Program (myPasswd) on only one node.
When invoked :
2. Decrease the value of it's semaphore ( for blocking other user from doing the changes unless it finishes ).
3. Password modification.
4. Replicate the /etc/passwd on all nodes using "Remote Copy"
5. Increase the value of it's semaphore ( for allowing other user doing changes to their passwords ).

Magdi





0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎08-22-2001 10:56 PM

‎08-22-2001 10:56 PM

Re: Password Synchronization

Consider using NIS only on these four nodes. Otherwise it will be a night mare.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Smirjit Singh
Advisor

‎08-22-2001 10:57 PM

‎08-22-2001 10:57 PM

Re: Password Synchronization

Hi Magdi,

Thanks for your answer.. I tried to write small shell script as like automatic FTP..But it also not worked. According to you if I copy /etc/passwd then root passwd will also be same for all node. WHich is not possible by our securities policy.
Knowledge is only most valuable things which can't buy.
0 Kudos
Reply
Magdi KAMAL
Respected Contributor

‎08-22-2001 11:06 PM

‎08-22-2001 11:06 PM

Re: Password Synchronization

Hi again Sandip,

in this case, you may change point 4 replacing remote copy by issuing the passwd command on all nodes in the cluster. By this, the user initialize once his password and the program did the probagation of the password on all nodes.

Magdi
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎08-22-2001 11:14 PM

‎08-22-2001 11:14 PM

Re: Password Synchronization

Sandip,

you really got the point; to copy your /etc/passwd to diffrent nodes is not the right way. You will have identical logins for root and other system accounts on all nodes and this was not acceptable to our security policy.

I use the LDAP-UX product from HP to have my user accounts on an LDAP Server (comes for free from HP) and keep my system accounts locally in /etc/passwd.

I installed LDAP as a separate MC/SG package which can run on different nodes so that my users can always login using the password stored on the LDAP server.

You will find the LDAP services on your 11.0 application CD's

The installation is straightforward and documented.

Regard

Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Smirjit Singh
Advisor

‎08-22-2001 11:34 PM

‎08-22-2001 11:34 PM

Re: Password Synchronization

Hi Rainer,

It looks ok.. Can you tell me how I should proceed. If I installs LDAP product in any node then how I will redirect users login in ldap database instead of /etc/passwd.

Knowledge is only most valuable things which can't buy.
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎08-23-2001 12:00 AM

‎08-23-2001 12:00 AM

Re: Password Synchronization

Sandip,

you specify this in /etc/nsswitch.conf.
i.e.
passwd: files [NOTFOUND=continue] ldap
in this case login first looks in /etc/passwd. When it finds an entry for a user this user is authenticated aginst /etc/passwd otherwise against you ldap Server.

regard
Rainer

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
Barry O Flanagan
Respected Contributor

‎08-23-2001 02:53 AM

‎08-23-2001 02:53 AM

Re: Password Synchronization

NIS or NIS+ is the way to go. Use NIS+ if you're worried about security. NIS is a little easier to administer and control. You can distribute as little or as much as you want with it including passwd, group, netgroup, hosts etc... One database, so therefore only one set of account to administer, update etc... NIS+ is better from a security point of view as everything is encrypted, but theres a bigger admin overhead with keys etc...

just my 2 cents
0 Kudos
Reply
Ralf Hildebrandt
Valued Contributor

‎08-23-2001 07:54 AM

‎08-23-2001 07:54 AM

Re: Password Synchronization

Very easy.
You can use rsync over ssh to distribute the passwd files.

Use a Makefile & make to update the /etc/passwd via rsync if /etc/passwd changed. Since make only takes action when /etc/poasswd actually changes, you can easily run "make" every minute.
Postfix/BIND/Security/IDS/Scanner, you name it...
0 Kudos
Reply
Smirjit Singh
Advisor

‎08-23-2001 05:51 PM

‎08-23-2001 05:51 PM

Re: Password Synchronization

Hi Ralf,

Would pls tell me in brief how I would do it.. Actually I am not getting any clue..

Knowledge is only most valuable things which can't buy.
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-24-2001 12:46 AM

‎08-24-2001 12:46 AM

Re: Password Synchronization

Hi,

U can go for NIS or NIS+..

I guess NIS is going to be pretty easy to set up.

But NIS+ is pretty secure..but then when UR BOX is not connected to the internet..NIS should be the best option..Though with security issues..it is very easy to setup and administer..

Also there is one more service that is not mentioned here.

""rdist"" this is a special service meant just for keeping the configurtion files synced.

I dont know if this is going to work for /etc/passwd or not but try it out..

Also there are some third party tools like RSA Keon Security and Authentication Software..

But this is going to cost U something..but a best bet..

Sundar


Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.