Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It's a common headache for any enterprise which has a boat load of Linux server, trying to change passwords across all machines. Inevitably the passwords go out of sync because they expire on different dates and you end up spending the whole day changing passwords across all your servers. I'm looking for something that will allow me to change passwords on one server/website/location and it propagates the password across all servers connected to that tool.
I searched the forums and found some discussion on this topic from several years ago, but the environment has changed and new tools have hit the market. So I thought I'd stir the pot again and see if opinions have changed.
The simplest solution to me seems like OpenLDAP, Or Windows AD. SSH key based authentication takes care of the access issue but still doesn't solve the password change problem. We also use Thycotic Secret Server in our environment. It can work with SAML as the back end tool. Gives you a nice web front end to manage passwords and use SAML to propagate passwords to all connected apps. But SAML seems like something designed for web based applications and not local users on Linux servers.
Appreciate any help or guidance you folks can provide.
NIS has security issues that scares corporate clients. It never gets approved.
Then they'd have problems with pretty much ANY large-scale system like this. OpenLDAP is in the same boat with NIS. If you want to use SAML, I've seen things that say you CAN do it, but it may not be too pleasant.
You reference SSH key based authentication...so if you have a root/SUDO user that has keys swapped on all your servers, a fairly simple script could just go through and run something like
Code:
echo -e "password\npassword" | passwd someuserid
Just pass the new password and a user ID as command-line parameters to your shell script, and have it loop through a list of server IP addresses. Change passwords for a user all at once. Or even just run "passwd -e someuserid" instead, and just expire the users password, which will force THE USER to change their own password(s) everywhere.
You reference SSH key based authentication...so if you have a root/SUDO user that has keys swapped on all your servers, a fairly simple script could just go through and run something like
Code:
echo -e "password\npassword" | passwd someuserid
I'm doing something similar right now, but trying to get away from it as it requires a lot of manual work. I feel some sort of centralized authentication will be much more manageable. Ideally a combination of NIS+ with a password safe is perfect.
I'm doing something similar right now, but trying to get away from it as it requires a lot of manual work.
Should only have to set it up once, so yes there would be manual work up front, same with installing ANY tool.
Quote:
I feel some sort of centralized authentication will be much more manageable. Ideally a combination of NIS+ with a password safe is perfect.
Centralized is fine, but you mentioned that 'they' have problems with NIS from a security standpoint. ANY centralized solution would be vulnerable, including LDAP, NIS, or whatever. Only suggested a script because you mentioned 'they' had concerns about NIS security.
You know the environment better; just offering suggestions based on what you posted.
Pragmatically speaking, every Enterprises has some form of central authority for authentication and authorization ... and it's probably also what causes your badge to be authorized when you swipe it or tap it at the front door while trying to balance your coffee-cup. LDAP, MS-OpenDirectory, and Kerberos are common tools that are used for this purpose.
Users can thus "single sign-on" to any computer that they are authorized to use, and they can reach (intra-net "web") and other applications without being further challenged because "they already know who you are, and that you are that person, and what you're permitted to do." The corporate security staff can manage this centrally. And, security auditors can demonstrate that there are no "holes," to maintain compliance with laws.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.