Shadow passwords different on each machine (Fedora Core 1)
I'm setting up a small compute cluster and am looking to have a simple password management system for my users. A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes. However, based on my (limited) experience with Fedora Core 1, I don't think this will work for me. I'm finding that the ciphertext in my /etc/shadow files is different on each machine for the same password. Is there a difference in the way shadow passwords are implemented between the two distros? Is there a setting I can alter? Any other advice?
TIA, John |
Re: Shadow passwords different on each machine (Fedora Core 1)
Quote:
if someone "r00ted" one box on your "network" if /etc/shadow was the same on all your boxes...... the rest of them could be r00ted also............ your colleague might regret his set up at some future point in time........!! |
Yes there's a difference. I think RH 7.3 used DES to encrypted the passwords. Newer RH's use MD5, as far as I can tell. There's also a per-machine "salt", so the result is that each machine will hash the same password differently.
|
Thanks for the info!
Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines. |
Quote:
I've actually seen people copy /etc/passwd, /etc/shadow, and /etc/group to multiple machines to sync up the passords. (mostly redhat 7.3 or Redhat 8,9) However there are differences in the passwords between 7.3 and 8 so you can't copy a shadow file from a 7.3 box to a 8 box or you loose things like SSH. As long as all the machines are the same version I think it will work. When in doubt back them up before doing it... |
I seriously doubt that two machines will be able to share the same shadow file, for the reason I mentioned above (machine specific "salt" value), but you're welcome to try and report the result.
Kerberos is a rather popular option for synchronizing authentication for multiple machines. I believe OpenLDAP can also be used in a similar manner. NIS(+) is pretty horrible in my opinion and should be avoided if possible. |
All times are GMT -5. The time now is 03:13 AM. |