Syncing user accounts across multiple servers

There are two popular approaches

You either setup central authentication (ldap, nis).
You setup a configuration management system (puppet,chef,cfengine, shell script) to automatically create accounts, and configure the environment on all your managed systems.

Central authentication systems are good when all the systems are all under the control of the same organization. It tends to be necessary when you have lots of users, and when will need to use the authentication for many things behind just logging in.

The configuration management way is good if you generally just need to setup a small number of remote admin accounts, and service accounts.

For smaller/simpler deployments, a project called Internet Account Replication (IAR) could help. It has a simple server-client architecture and synchronises the credentials using SSH.

I would also add to Zoredache's answer that NIS is not the way to go for anything used by more than a few people or including any public access. There's quite a few quirks to NIS and it's very easy to introduce significant security risk to NIS.

I've seen implementations where the password hashes are included in the passwd user mappings.

It's also rather easy to inject a malicious server onto an NIS network that is broadcasting. Especially hazardous with the password hashes included in the passwd map. Install an Ubuntu box, ''apt-get install nis'', and you're in and can get a list of users on the network.

Syncing user accounts across multiple servers

Tags:

Linux

Synchronization

Related

Recent Posts