On 2/21/22 7:10 PM, Dave Wilson wrote:
Hi all,
I am setting up a pair of OpenBSD jump boxes, to be a pair of bastion hosts
of a large network.
I would like to have a primary and backup, with the same set of users on
each one.
I do not want to use YP or any other form of authentication server, because
part of the use case for these machines is that they are the jumping off
point for fixing everything else when things are broken.
I am aware that OpenBSD goes to some length to ensure the integrity of the
files /etc/passwd, master.passwd, group et al, providing various utilities
to manipulate them and even vipw for those rare occasions when you want to
edit the raw files, so I am very reluctant to just rsync files from the
primary to the backup, bypassing these protections.
Is there a clean way to do this sort of user synchronisation? I can write a
script which will run useradd (or userdel etc) on one machine and then the
other, but if there is a "correct" way to do such a thing, I would rather
do that than reinvent the wheel.
Actually, rsync'ing the important files works very well. The important
files are just text files...nice and simple. One user, one line.
THAT BEING SAID, unless the machines are all very identical, you
will have an issue with different systems having different application
users. Off the top of my head, something like this should work:
On master system, extract your human users that need to be replicated:
# grep ":/home/" /etc/master.passwd >/tmp/adminusers.master.passwd
# grep '*:[0-9][0-9][0-9][0-9]:' /etc/group >/tmp/adminusers.group
(neither of those grep lines is universally correct, both make
assumptions. Understand my goal; don't copy my example blindly.)
copy those two adminusers.* files to the target machine
Now... on the target machines, grep -v the :/home/" and four digit
group number lines OUT of the master.passwd files to temp files, tack
the new info into the end of the temp files, do some basic error checking
including running "pwd_mkdb -c" to validate your new file, and making
sure that the number of lines different between the old and the temp
files are within a user or two, if all looks good, mv the temp files
to replace the permanent ones and run pwd_mkdb for real.
I'd suggest considering moving the user keys from ~/.ssh/authorized_keys
to something akin to /etc/ssh/keys/<username.pub>, then you only have to
sync that one directory. That's the "AuthorizedKeysFile" option in
/etc/ssh/sshd_config. Cool trick I learned waaay too recently. :)
Oh wait. you said just two redundant boxes. well, rsync will work great.
Just make sure you go the right direction. No, wrap it in a script that
makes it go the right direction. Dyslexics untie!
Nick.
