Name

UNIX Password, Roles & Node Management: Basic Overview


Basic Overview

What is this?

UNIX Password, Roles & Node Management (or just Password Management, as it's more commonly referred to as) is a collection of perl5 scripts and modules that automate the creation and transfer of passwd(4), shadow(4), and sudoers(3c) files to one or more nodes. In addition to your basic role-based user management, it provides a common HTTP-based REST-style API that allows you to programmatically access everything there is to know about a node or group of nodes.

Why would I use Password Management?

If you find yourself in a situation similar to the following, then you might benefit greatly by using Password Management:

No Naming System
Password Management was originally developed in part to overcome a ``production'' limitation - namely, that the NIS installation must not extend onto production nodes, but that the users had to be created on those nodes nonetheless. Replicating the users from NIS into node-local passwd(4) files at the time seemed like the right answer.

OS Homogenous Environment
Password Management can create files for just about any SySV -based UNIX system. One of it's other original requirements was that it allowed update of both Solaris systems (which made up about 70% of the total population) and Linux-based systems. This meant that using a single vendor-only system (like RBAC) for installing and managing users was out. Later on, that requirement increased to the asynchronous console servers used for out-of-band management (these were also Linux based, but were not full fledged systems).

Existing user database
This of course is pretty worthless unless you already have a user system in place that you can query. NIS, NIS+, or ActiveDirectory are good examples. You could even use a static passwd(4) style map to pull from. It's important to note that Password Management isn't going to create a system to manage users for you; that's not it's purpose, and it's unlikely that it will ever evolve into such a beast. Password Management fullfills the need to quickly and reliably install users from your central user system onto N nodes (where N may be a very large number).

No existing inventory system
Password Management works off of a list of nodes. This ``inventory'' must be authorative from Password Management's perspective in order for things to function smoothly. If there is an already in-place inventory system (it could be as simple as a spreadsheet or as complex as a custom Remedy installation) then you might get some confusion later down the line.

Why would I might not use Password Management?

If you've already got an installed system for replicating out user accounts, and you're comfortable with it, then (from an operational view) I don't advocate switching.

If you're running a centralized user sysetm (like NIS) and it extends onto the nodes you're planning to manage with Password Management, then you absolutely should not use this software. (As always, there are exceptions, and they'll most likely be covered somewhere in this documentation, but you might be asking for more trouble than it's worth.)

Is it safe?

I certianly think so! It's been in use now for over 4 years at Covad, and gets better each itteration. Password Management indexes at last count over 950 individual nodes in ``active'' inventory (plus a few dozen in ``inactive'' inventory), and manages the user installation for each one of them. Great pains have been taken to ensure that updates are atomic and not destructive, turning what use to be a management nightmare into an afterthought on which almost all of Covad's production systems tools and services are built atop. If you opt to keep all your configuration under a revision system, you also have an easy rollback method, in case you add or remove a login to a node by mistake.

Is it secure?

That's a pretty open ended question. You can break it down below:

Communication
All communicaton between the Password Management instance and the nodes it's working on - including file transfer - is done via SSH. R can be SSL encrypted with httpd.

Password data
Password Management assumes that whatever is your authorative source for user account data (usernames, uids, passwords) will only pass back enciphered or encrypted passwords (like with crypt(3c) or MD5 checksums). So, it really has no idea what a user's password will be.

Limitations

Only UNIX-based systems are supported
...and only those that utilize shadow password files. (This doesn't include *BSD systems, but only because the master_passwd file support isn't in; in theory, it would work just fine).

SSH must be used as the transport mechanisim
...and root must be able to authenticate via a SSH key. (This freaks a lot of people out; we probably won't be changing this anytime soon.) SSH protocols 1 and 2 are supported; protocol 2 is preferred.

perl5 must be installed
...and it should be of a sufficient level (5.8-ish) for the Password Management instance. We've had much success in trying to keep the requirements for the individual nodes at a very low level (I believe the lowest version in production is 5.005_03, or some such nonesense). It also needs to be in a consistant place on all nodes.

Tested Platforms

The following platforms have been fully tested. Anything else is, well, suspect:

Copyright

Major portions of this code project are:

 Copyright (C) 2002-2005 Covad Communications Group, Inc.

...without whom this would not exist.

All of this code project is:

 Licensed under the Apache License, Version 2.0 (the 
 "License"); you may not use this file except in compliance 
 with the License. You may obtain a copy of the License at 
 
     http://www.apache.org/licenses/LICENSE-2.0 
 
 Unless required by applicable law or agreed to in 
 writing, software distributed under the License is 
 distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 
 CONDITIONS OF ANY KIND, either express or implied. See 
 the License for the specific language governing 
 permissions and limitations under the License.

...except for the block that is the Digest::Perl::MD5 manpage. See the Notice section below.

Notice

This software contains portions of the Digest-Perl-MD5-1.5 perl5 module, released 2000-09-19 by Christian Lackas, Imperia Software Solutions. The module - in it's entirety - can be found via CPAN at

  http://search.cpan.org/~delta/Digest-Perl-MD5-1.5/

This software contains code derived from the RSA Data Security Inc. MD5 Message-Digest Algorithm, including various modifications by Spyglass Inc., Carnegie Mellon University, and Bell Communications Research, Inc (Bellcore). These portions are Copyright (C) 1991-1992 RSA Data Security Inc. Created 1991. All rights reserved.


See Also

perl(1), ssh(1), passwd(4), shadow(4), sudoers(5)


Author

Jonathan Gilbert <jong@jong.org>


Version

$Id: pwman_docs_basics.pod,v 1.2 2005/10/20 08:46:34 jgilbertsjc Exp $


SourceForge.net Logo