What options are available for Synchronizing Passwords between load balanced servers?
https://stackoverflow.com/questions/675823
-
21-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
We have several UNIX machines you can wind up with when you telnet to a certain box. The passwd files are not on a shared mount (I am not sure how safe it is to mount them anyway). The end result is that if you change your password on one box that when you login to the second box it will tell you that your password is invalid. This makes no sense to the end user since they typed telnet servername in both instances. Any pragmatic experience, advice, or pointers to help resolve this situation?
ENVIRONMENT CONTAINS
- AIX 5.3, 5.2, 5.1, 4.3
- HP 11 11.11 11.23 11.23I
- Sun 10
- Linux
UPDATE:
I am considering disabling passwd on all boxes except for one. passwd could then be a remote call to the controling password server or tell the user explicitly which machine to go to in order to change their password.
UPDATE:
The IBM product does look interesting has anyone had experience with Centrify to speak about?
Thoughts?
Solution
One option would be to move from telnet to ssh, and use ssh keys instead of passwords. SSH keys tend to change less often than passwords(the user can change the private key's passphrase without touching the remote server), and the public key usually lives in the user's home directory, which you can put on a shared mount (presumably what you already do).
This will make your environment more secure, in addition to solving your synchronization problem. The downside is that the overhead might be slightly higher in setting up each new user, as you need to have them create a key pair and send the public key to an admin who can place it in their home directory for them.
OTHER TIPS
Why not use LDAP since it was designed to do just that and even more?
If you have more than one UNIX server, you probably want to have one set of passwords and one set of accounts across all of them. Depending on which kind of UNIX this is, you may want to use nis or nis+ or some other native-to-that-UNIX solution to keep passwords centrally managed.
The LDAP answer was good!
You could try NIS+ from sun. The server/admin piece lives on a Solaris box but it has clients for most *nix boxen. This automagically syncs passwords, userids, groups and access rules over groups of servers.
Another option (but only if your boss has big budget!) is Tivoli Federated Identity Manager from IBM. Which either syncs passwords - or - switches user id and password as you pass between boxes.
