Shadow passwords different on each machine (Fedora Core 1)
 

I'm setting up a small compute cluster and am looking to have a simple password management system for my users. A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes. However, based on my (limited) experience with Fedora Core 1, I don't think this will work for me. I'm finding that the ciphertext in my /etc/shadow files is different on each machine for the same password. Is there a difference in the way shadow passwords are implemented between the two distros? Is there a setting I can alter? Any other advice?

TIA,
John

Re: Shadow passwords different on each machine (Fedora Core 1)
 

well think of it like this..........
if someone "r00ted" one box on your "network"
if /etc/shadow was the same on all your boxes......
the rest of them could be r00ted also............

your colleague might regret his set up at some future point
in time........!!

Yes there's a difference. I think RH 7.3 used DES to encrypted the passwords. Newer RH's use MD5, as far as I can tell. There's also a per-machine "salt", so the result is that each machine will hash the same password differently.

Thanks for the info!

Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines.

There is always NIS...

I've actually seen people copy /etc/passwd, /etc/shadow, and /etc/group to multiple machines to sync up the passords. (mostly redhat 7.3 or Redhat 8,9) However there are differences in the passwords between 7.3 and 8 so you can't copy a shadow file from a 7.3 box to a 8 box or you loose things like SSH. As long as all the machines are the same version I think it will work.
When in doubt back them up before doing it...

I seriously doubt that two machines will be able to share the same shadow file, for the reason I mentioned above (machine specific "salt" value), but you're welcome to try and report the result.

Kerberos is a rather popular option for synchronizing authentication for multiple machines. I believe OpenLDAP can also be used in a similar manner. NIS(+) is pretty horrible in my opinion and should be avoided if possible.