From: RAnderson@sealy.com
Date: Wed Sep 11 2002 - 09:50:14 EDT
Thanks to Ryan (since he was first) and everyone else for their rsponses.
Here was the original question:
Hi admins,
Here is the situation. I have a system (V2200) that is trusted and the
passwords are set to expire every so often. I have a second system (N4000)
that will be a backup for this machine in case of some disaster. How
would I keep the passwords syncronized so that in the event of a disaster
my users would be able to use the same password as they did on the original
machine. Are there certain files that I could copy over on a regular basis
to keep them in sync. Ignite UX won't work from a V2200 to the N4000 or I
would go that route.
Any help would be appreciated.
Most of the response said to copy the /etc/passwd and /etc/group files
along with everything under /tcb/files/auth/*. A few people mentioned
using rdist to accomplish this on regular basis. I'm going to look into
this as well.
Here are some other notable responses from Andy Cranston and Alan
Marillier.
>From Alan:
Not true that Ignite will not work! You can tell Ignite to create a LIF
volume that includes all the boot images INSTALL, WINSTALL and VINSTALL.
That way it can boot to any other platform. I frequently Ignite from Vs to
Ns, Ls, Ds etc. and I have done the reverse. I was told that I could not
ignite a K to an N, and I've done that too - provided the OS version is
capable of running on the traget system - i.e. the K can not be running
10.20, as an N can only run 11.00 64 bit. However, igniting frequently is
overkill.
As for syncing passwords - assuming that all you want to do is sync
passwords, you can:
a) use a security package like CA's eTrust
b) use NIS
c) copy the file /etc/passwd, /etc/group and all of /tcb. Note that thgis
will not give you the user home directories - but you can write a script
that parses /etc/passwd and checks to see if the
>From Andy:
Hello Ron,
I would consider writing a wrapper to the passwd command which asked the
same questions and then calls the real passwd to change the user password
as
required but then also logs the new clear text password somewhere. Note
that this "somewhere" would have to be kept very secure. Then at the end
of
each day any password changes could be automatically transferred to the
N4000 system and the root user could call the passwd command to assign the
various changed passwords. A sort of poor persons "do it yourself" NIS for
passwords only.
You will need a way to call the real passwd from a script and I would
suggest using the expect command with a suitable expect script such as:
http://www.readout.fsnet.co.uk/projects/passwdreset/index.htm
Another method (and this would look rather cool :-) would be to take my CGI
password setting HTML page:
http://www.readout.fsnet.co.uk/projects/cgipasswd/index.htm
and then make some changes so the password update is not just sent to the
host machine running the CGI script but also to the standby machine. Not
sure how to put the second forms request together in the HTML but I'm sure
it must be possible.
However bearin mind that these ideas will result in cleartext passwords
being held in potentially unsecure places and/or cleartext passwords
travelling accross your LAN. The fact that the V2200 is running in trusted
mode indicates to me that your computer security people might hit the roof
if you implement these ideas but maybe there is a way to "harden up" these
ideas that I'm not aware of (and me not being aware of things is a highly
probably scenario :-)
Hope these ideas help.
Regards,
Andy Cranston.
Thanks again to everyone's response.
Ron Anderson
Senior Unix Administrator
----- Forwarded by Ron Anderson/us/Sealy on 09/11/2002 09:41 AM -----
Ryan
<rmkk@bellsout To: RAnderson@sealy.com
h.net> cc:
Subject: Re: [HPADM] : Question about trusted systems and passwords
09/10/2002
04:01 PM
All the user password information and the security settings are stored
in the
/tcb/files/auth/*
If you check out this level, you will see directories A-z and system.
Copy these or the contents of the subdirectories or individual user
files to the N server.
ryan
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:19 EDT