Posted by Steve on Thu 6 Apr 2006 at 09:14
In many small and medium sized companies there are a number of servers which have organically grown, with no directory management. I'm curious to know how people would handle adding users in this scenario.
Imagine a situation where you have 50 machines which are running Debian Sarge, and you wish to do two things to each system:
Doing this one one or two machines is trivial; just ask somebody with an account to ssh into each server and run useradd to add the user, then edit the /etc/sudoers file.
But what if you want to do the same thing for a lot of machines?
Assuming you have no SSH keys which will allow remote root logins from a trusted internal host how would you handle this situation?
I can think of a several different approaches:
NIS is insecure across the internet. Internally on a trusted LAN it is simple, secure enough and and well understood.
It would be possible to designate a single host as a master, then login to each host and set it up to fetch non-system accounts + passwords from the master.
This doesn't help much right now since you still have to login to each host, but it will make things easier in the future if the situation repeats itself.
It also doesn't help modify the sudoer setup.
We've covered using cfengine previously, and like NIS this has pros and cons.
On the downside installing and configuring each host to be a CFEngine "slave" or "node" would require logging into each host. But on the plus side it would allow the subsequent addition of users and configuring sudo to be a trivial operation.
Rsyncing a password + shadow file, and sudoers file too, could be done. But this seems to be fraught with danger if hosts have different system-users available. (e.g. some packages create a local user; and if those packages are installed on only some hosts then issues will arise).
As a long shot .. if each host is setup to automatically download new packages from a central location it would be trivial to add a new-employee.deb package to that repository and ensure it was downloaded by modifying a standard package to depend upon it.
(This is similar to the custom packages I use to configure shell setup, etc on my local machines.)
The postinst section of the package could add a user and setup sudo - although this is not a Debian policy-compliant action.
Each of these approaches has pros and cons, and there are likely to be approaches I've missed.
So my question is : How would you handle this situation?
Personally I would be happy to login to each host once to do some minimal configuration but only if that were never required again. Automation is a wonderful thing and jobs like this do have a habit of recurring more often than you'd like ..
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2006 Steve - please ask for permission to republish or translate.