sync htpasswd and passwd files

[vortmax]

I have an ubuntu 8.04 server running nagios. It uses htpasswd for authentication and user privileges. I would like to sync the passwd file to the htpasswd file so that when I add or remove a user from the machine (or they change their password in the shell) the changes are immediately reflected in htpasswd.

I've seen simple awk scripts to transfer data between the files, but I'm looking for complete synchronization. Is this even possible?

 

[Annihilannic]

Sounds possible, with an adapation of those simple awk scripts to run on a regular basis out of cron or something.

What's the format of the htpasswd file (I'm not familiar with it and can't be bothered looking it up. )

Annihilannic.

 

[vortmax]

the htpasswd file just contains a line with the username and the hashed password:

username:alkshflakueLKJHFdLSKdjf
username2:adfieweoiuvklnem

etc.

I did figure out that I can symlink the /etc/shadow file and have it work, but I have to give the apache user read access to it. I'm not sure how big of a security hole that is.

 

[elgrandeperro]

Careful. shadow has several more fields and you just blasted passwords for accounts that aren't in the .htpasswd.

You really want to extract the strings as Anni has said, and sync via a cron script.

 

[Edcrosbys]

I'd leave the shadow file alone! Especially with something that is end user facing like Apache!! If you want to sync the files, then setup a script to copy the changed line over to the other file (I assume you want 2-way sync). Keep a copy from the last time the script ran (htpasswd.old) and compare it line by line with the new file. After your done, you have a file with the changed lines (htpasswd.svr1). compare the two with each other (having one win by default if a user changed the pass on both boxes). Then replace the line on the other box with the new line. The cheating way to do this is "grep -v $newline oldfile >> newfile; echo $newline >> newfile". You get the idea, but the syntax and whatnot needs work.

Although the better solution would be to setup nagios (apache) to authenticate to ldap and stand up an ldap server. I believe there are plenty of how-to's out there for this.

Best of luck to you! If you get a script together and need help, post it up!

 

[vortmax]

Although the better solution would be to setup nagios (apache) to authenticate to ldap and stand up an ldap server. I believe there are plenty of how-to's out there for this."

That's actually what I ended up doing. I configured apache to authenticate against our Active domain controller and all is well.

Although this problem did get me thinking... is it possible to run a script as a pipe so that it alters the data on the fly? So to the running program, it is just performing a normal read operation, but in fact the pipe (that is being read from) is reading in another file and modifying the stream.

 

[Edcrosbys]

Yes, there are pipe files you can use as fifo buckets to pass data around. It not the most elegant way of doing things though.

 

[Annihilannic]

I don't think that would be (easily) possible because you would somehow need to launch the programme that writes to the pipe each time you wanted to read it. Typically you create a pipe, launch the 'reader', launch the 'writer', it writes it's output and closes the output, the reader reads the input until EOF, and then closes the input. If the writer never ended and kept the output open, then the reader would continue waiting for input for ever.

This is assuming that you are fooling the reader into thinking it is reading a file up to EOF.

Annihilannic.

 

[vortmax]

Then a pipe might not be the way to do it.

My idea was basically a proxy. The reader opens the proxy (Pipe, script, whatever), which in turn opens the actual file to be read. The proxy just passes on the read request and modifies the return on the fly, so the EOF the reader gets is the EOF in the source file.