I need a program to sync passwords on all our linux boxes on network

tedcreyn · 05-29-2012, 05:10 PM

Is there such a program? All I need for it to do is make sure that when a user has changed their password on one box it propagates to all others. I do not need it to provide authentication on the network. I also don't mean a password manager that just helps folks remember their passwords. I just need it to sync the passwords.

Kustom42 · 05-29-2012, 05:43 PM

This is one feature that Windows has over Linux for ease of use. Look at standing up a single windows box as a domain controller, then setup ldap or winbind to query against the domain controller for the password. That way no passwords are stored locally and any updates are realized immediately by your systems on the network. Besides that the only thing I could think of would be a cron job or something similar to do a copy of the /etc/shadow file.

chrism01 · 05-29-2012, 07:34 PM

Actually, Linux provides OpenLDAP; no need for MSWin box.
Try http://www.linuxhomenetworking.com/w...DAP_and_RADIUS (ignore refs to RADIUS) & Chap 24 of http://www.linuxtopia.org/online_boo...ion/index.html

frankbell · 05-29-2012, 08:43 PM

Another alternative to look at might be Cluster SSH. I've never had occasion to use it, but I've heard it highly recommended by a Linux sysadmin.

tedcreyn · 05-30-2012, 11:37 AM

Thanks folks, but setting up LDAP seems a bit of an overkill. We don't wan't single sign on, we just need to make sure that the users passwords are propagated to all other ubuntu boxes when it is changed on one of them. Is there anything other than LDAP for such a requirement?

jlinkels · 05-30-2012, 06:16 PM

In the end, synchronizing clients is much more complicated than centralized login. I find NIS simpler than LDAP, but I am lazy, and I should have looked into LDAP.

Think about something similar: users have a home directory where they store their files. What would be easier, to create a central shared disk, of keep all the home directories on the clients in sync in one or another way?

jlinkels

chrism01 · 05-30-2012, 06:51 PM

NIS is certainly simpler, but its plaintext only, OpenLDAP has the TLS option

I believe that even in Solaris (SUN wrote NIS), people are moving away from NIS.

The classic soln used to be NIS for auth and NFS for home disks as jlinkels hinted.

Refractor · 05-31-2012, 03:07 AM

One can change password with

Code:

echo -e "OLDPASSWORD\nNEWPASSWORD\nNEWPASSWORD | passwd"

If it's the root user just cut out the OLDPASSWORD\n part.
Knowing this, one can write a wrapper script like

Code:

#!/bin/bash

HOSTS=('10.0.0.1' '10.0.0.2' '10.0.0.3')

if [[ $(whoami) != "root" ]]; then
read -p "Old password: " -s OLDPASSWD; echo
read -p "New password: " -s NEWPASSW1; echo
read -p "Retype password: " -s NEWPASSW2; echo
NONROOT=1
else
read -p "Username: " -s CHPWUSER; echo
read -p "New password: " -s NEWPASSW1; echo
read -p "Retype password: " -s NEWPASSW2; echo
fi

echo "Updating local password: "

if [[ "$NONROOT" == 1 ]]; then echo -e "$OLDPASSWD\n$NEWPASSW1\n$NEWPASSW2" | passwd;
else echo -e "$NEWPASSW1\n$NEWPASSW2" | passwd $CHPWUSER;
fi

echo "Updating remote hosts: "
if [[ "$NONROOT" == 1 ]]; then
for host in ${HOSTS[@]}; do
echo "Changing password on $host";
#ssh $host 'echo -e "$OLDPASSWD\n$NEWPASSW1\n$NEWPASSW2" | passwd';
done
else
for host in ${HOSTS[@]}; do
echo "Changing password on $host";
#ssh root@$host 'echo -e "$NEWPASSW1\n$NEWPASSW2" | passwd $CHPWUSER';
done
fi

Hope this helps.

/jarv · 02-14-2020, 07:09 AM

This script doesn't work since the env variables will not be present in the session running on the the remote host during the ssh - try it out and you'll see.

pan64 · 02-14-2020, 09:51 AM

But:

Code:

 echo string | ssh host passwd

may work

/jarv · 02-14-2020, 11:07 AM

Yes indeed the adjustment works.

I added the -q to suppress motd

echo -e "$OLDPASSWD\n$NEWPASSW1\n$NEWPASSW2" | ssh -q $host passwd

works a treat