M-Tech’s P-Synch: changing the way we change passwords
One of my favorite peeves about administering networks is the need to change passwords regularly. You know why we change passwords often (good old security, ya know), and that’s not the part that peeves me. It’s the need to log in to every machine individually and run the password changing programs on each separately that gets to me. Then log into each individual application that has its own user and password lists, independent of the host machine, and change the passwords there, too. My office network requires over thirty such changes, and my home network eight.
If I was only running UNIX, then I could use NIS and let that service change my machine passwords for me. But NIS doesn’t change non-UNIX passwords and it doesn’t do anything for application passwords. The same applies to Windows NT-based domains, where a central user list is maintained. Domain users don’t extend to UNIX or applications. There are utilities that provide some cross-platform support for NIS and NT domains, but I haven’t found one that works well across my very mixed network platforms.
Obviously this is a problem that has plagued users for years. The folks at M-Tech (Calgary, Alberta) have done something about it. M-Tech’s solution is called P-Sync (for Password Synchronization) and it uses a number of scripts and API routines to perform all the password changes on your network for you from a single location. (It’s an obvious solution once you’ve seen it work!). I first encountered P-Synch two years ago in an earlier version and have used it religiously on my own networks, recommended it to many clients, and written about it extensively since. A Linux implementation of P-Synch was an obvious spin-off of the UNIX version. Even better, M-Tech has released a new version of P-Synch which adds several new features that make P-Synch more talented and easier to manage.
As you have gathered from the comments above, P-Synch uses scripts to change passwords on all applications and machines you tell it to access. P-Synch accomplishes this by using either a native API or telnet to log into each machine or application one at a time, running whatever commands are necessary to modify the passwords. You need tell P-Synch only what password to change to (or to reset a password), and P-Synch runs through its list of targets in background. Since only a single copy of P-Synch is required anywhere on the network there are no client programs to be installed on each machine. The user interface can be character-based, GUI, or HTML. An administrator defines which machines and applications a user can modify passwords on, as well as more advanced routines like password aging.
Since P-Synch is script-based, it can change passwords on any machine or application that can be logged in to using telnet or for which an API can be written. The list of M-Tech-provided scripts for operating systems is lengthy: Linux, many versions of UNIX, NetWare, Windows 95/98 and NT, LAN Manager, PathWorks, MVS and VMS. Application scripts available from M-Tech include Oracle, Sybase, SQL-Server, cc:Mail, MS-Mail, Exchange, GroupWise, and GroupWare (including Lotus Notes). Scripts for other targets are starting to appear in Usenet newsgroups and on Web pages, mostly written by P-Synch administrators.
The documentation for P-Synch is downloaded from the M-Tech Web site in .PDF, .PS or HTML formats. You can download uncompressed, ZIP, or GZIP versions. The installation and configuration guide is about 260 pages long, but it is likely that you will need to examine only a few pages to install P-Synch properly. Instead of printing the entire document, an Acrobat or PostScript viewer is best used to find those sections of interest (and viewing on-line saves a lot of time and paper).
If you are running NIS (or use a Windows-based alternative) P-Synch needs to run on the master. P-Synch will not function properly if installed on a client of a NIS master. (This is because NIS does not allow administrative password changes from clients.) If you are not running NIS or similar network-wide user management system then P-Synch can reside on any machine on the network. All machines that P-Synch is to manage passwords on must be running TCP/IP. P-Synch can coexist quite happily with NIS, handling only the non-NIS targets if you prefer.
Prior to installing P-Synch you need to gather a list of the IP addresses of each machine on which P-Synch will change passwords. P-Synch requires root (or equivalent) access on each of these machines. It is handy to create a test account or two on the server and a few clients to make sure P-Synch is performing its tasks properly before trusting it to your network-wide password management. These test accounts can be deleted after testing, or kept around for other purposes. A complete installation takes about 4MB disk space (noticeably down from the last version’s 9MB requirement).
Installing P-Synch takes only a few minutes but configuring for a network with several applications and operating systems can take a while. The usual installation procedure is to copy or download the files to your Linux machine and extract the files in the library (tar, gzip, or zip). One such library file is called unix_srv.tar and contains binaries for all supported UNIX and Linux platforms. After extracting this tar file, an installation shell script is run which handles the file setup procedure. A manual check of a configuration file to ensure it has the proper location for the passwd file (by default it assumes /etc/passwd) completes the file setup. P-Synch normally uses TCP port 106 but this can be changed if port 106 is in use by another service. To test the installation a telnet session to the TCP port should produce a password prompt, at which point the installation is finished. The installation guide contains a list of common problems encountered when setting up P-Synch, and they should account for most Linux system configurations.
P-Synch uses a script called psynch.conf to manage password changes. Separate parts of the program control users changing their own passwords, as well as root changing any password. On Linux and UNIX systems, P-Synch modifies passwords directly by interaction with the passwd program, not through a script (which would provide a potential security hole). The psynch.conf script can be edited if need be, which makes it easy to handle special requirements such as firewalls and proxies, as well as encryption schemes that manage password files. For non-Unix passwords P-Synch’s psynch.conf file must be modified to use a script for password changes. M-Tech provides a number of prewritten scripts for different operating systems, as well as applications that reside on UNIX or Windows machines (such as Oracle, Lotus Notes, and so on). Non-UNIX systems require changes to the inetd file, but these can be cut and pasted from M-Tech’s documentation or scripts. Linux and UNIX versions of P-Synch require a login called psadmin which is used by the server to verify that P-Synch agents on other machines are allowed to change passwords. The psadmin login should be set up so that it has no access privileges.
Our test network consisted of three Linux (two RedHat and one Slackware), four SCO OpenServer or UnixWare, and three Windows NT servers along with twelve Windows 95/98 machines. The server applications were Oracle 8, Lotus Notes, Exchange, Novell GroupWise, and SQL-Server (all on the Windows NT servers). On this network installation and configuration of P-Synch took about two hours. Most of that time was spent setting up the non-Linux and non-UNIX password change routines, with about half an hour required to debug the various scripts. If you are working on a Linux-only network the process will take less than ten minutes.
Once properly configured, users anywhere on the network could run the P-Synch routines to modify their own passwords. The HTML interface in particular is friendly and attractive. Users can specify which machines or applications the change affects, or accept all (which will usually be the case). Administrators can change passwords from any client. The amount of time required for a password change depends on the network load, the number of targets, and the nature of the operating systems. On our test network the password changes went quickly, completing in under two minutes.
To test P-Synch with NIS, we set up one of the SCO machines as an NIS master and a RedHat Linux system as the slave. We let NIS handle the password changes on half the UNIX and Linux machines while P-Synch handled the rest of those types as well as the Windows machines. Time for password changes didn’t drop noticeably, which could be expected since the Windows and application scripts are the major time consumers.
P-Synch is usually licensed to networks based on the number of users. M-Tech will customize the pricing plan to suit your requirements. Earlier versions of P-Synch cost about $10 per user and the latest version is likely to be similar. If you don’t want to worry about the password-changing hassle anymore, you’ll find P-Synch to be a wonderful utility. It’s fast, clean, easy to use, and worth every penny. The benefits are multiplied many-fold on heterogenous networks. If you want more information about P-Synch, or want to download the application itself for evaluation, check out the M-Tech Web site at http://www.m-tech.ab.ca. For the curious, a White Paper available in .pdf and .ps format describes P-Synch.