Shadow passwords different on each machine (Fedora Core 1)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Shadow passwords different on each machine (Fedora Core 1)
I'm setting up a small compute cluster and am looking to have a simple password management system for my users. A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes. However, based on my (limited) experience with Fedora Core 1, I don't think this will work for me. I'm finding that the ciphertext in my /etc/shadow files is different on each machine for the same password. Is there a difference in the way shadow passwords are implemented between the two distros? Is there a setting I can alter? Any other advice?
Re: Shadow passwords different on each machine (Fedora Core 1)
Quote:
Originally posted by jwolter0 A colleague of mine uses a really simple scheme under Red Hat 7.3: when a user changes his/her password on the master node, an automated script copies the /etc/shadow file to all the worker nodes.
TIA,
John
well think of it like this..........
if someone "r00ted" one box on your "network"
if /etc/shadow was the same on all your boxes......
the rest of them could be r00ted also............
your colleague might regret his set up at some future point
in time........!!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Yes there's a difference. I think RH 7.3 used DES to encrypted the passwords. Newer RH's use MD5, as far as I can tell. There's also a per-machine "salt", so the result is that each machine will hash the same password differently.
Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines.
Originally posted by jwolter0 Thanks for the info!
Anyone have any suggestions for managing passwords for the same user account on a large number of machines. I don't want to make my users change their password manually on 20+ different machines.
There is always NIS...
I've actually seen people copy /etc/passwd, /etc/shadow, and /etc/group to multiple machines to sync up the passords. (mostly redhat 7.3 or Redhat 8,9) However there are differences in the passwords between 7.3 and 8 so you can't copy a shadow file from a 7.3 box to a 8 box or you loose things like SSH. As long as all the machines are the same version I think it will work.
When in doubt back them up before doing it...
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I seriously doubt that two machines will be able to share the same shadow file, for the reason I mentioned above (machine specific "salt" value), but you're welcome to try and report the result.
Kerberos is a rather popular option for synchronizing authentication for multiple machines. I believe OpenLDAP can also be used in a similar manner. NIS(+) is pretty horrible in my opinion and should be avoided if possible.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.