Shadow passwords different on each machine (Fedora Core 1)

jwolter0 · 04-29-2004, 11:00 AM

I'm setting up a small compute cluster and am looking to have a simple password management system for my users. A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes. However, based on my (limited) experience with Fedora Core 1, I don't think this will work for me. I'm finding that the ciphertext in my /etc/shadow files is different on each machine for the same password. Is there a difference in the way shadow passwords are implemented between the two distros? Is there a setting I can alter? Any other advice?

TIA,
John

320mb · 04-30-2004, 02:26 AM

Quote:

Originally posted by jwolter0
A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes.

TIA,
John

well think of it like this..........
if someone "r00ted" one box on your "network"
if /etc/shadow was the same on all your boxes......
the rest of them could be r00ted also............

your colleague might regret his set up at some future point
in time........!!

chort · 04-30-2004, 01:33 PM

Yes there's a difference. I think RH 7.3 used DES to encrypted the passwords. Newer RH's use MD5, as far as I can tell. There's also a per-machine "salt", so the result is that each machine will hash the same password differently.

jwolter0 · 04-30-2004, 01:59 PM

Thanks for the info!

Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines.

Blinker_Fluid · 04-30-2004, 04:33 PM

Quote:

Originally posted by jwolter0
Thanks for the info!

Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines.

There is always NIS...

I've actually seen people copy /etc/passwd, /etc/shadow, and /etc/group to multiple machines to sync up the passords. (mostly redhat 7.3 or Redhat 8,9) However there are differences in the passwords between 7.3 and 8 so you can't copy a shadow file from a 7.3 box to a 8 box or you loose things like SSH. As long as all the machines are the same version I think it will work.
When in doubt back them up before doing it...

chort · 05-02-2004, 05:38 AM

I seriously doubt that two machines will be able to share the same shadow file, for the reason I mentioned above (machine specific "salt" value), but you're welcome to try and report the result.

Kerberos is a rather popular option for synchronizing authentication for multiple machines. I believe OpenLDAP can also be used in a similar manner. NIS(+) is pretty horrible in my opinion and should be avoided if possible.