P-Synch

One of the annoyances of administering networks is the need to change passwords regularly. We change passwords often for security reasons and that's fine. What bothers me is the need to log in to each machine individually and run the password changing programs on each one, then log into each individual application that has its own user and password lists independent of the host machine and change the passwords there. My office network requires over thirty such changes; my home network, eight.

If I were running only UNIX, then I could use NIS and let that service change my machine passwords for me. However, NIS doesn't change non-UNIX passwords and doesn't do anything for application passwords. The same applies to Windows NT-based domains, where a central user list is maintained. Domain users don't extend to UNIX or applications. Utilities exist to provide some cross-platform support for NIS and NT domains, but I haven't found one that works well across my mixed network platforms.

Obviously, this is a problem that has plagued users for years. The folks at M-Tech (Calgary, Alberta) have done something about it. M-Tech's solution is called P-Synch (for password synchronization). It uses a number of scripts and API routines to perform all the password changes on your network from a single location. (It is an obvious solution, once you've seen it work.) I first encountered P-Synch two years ago in an earlier version and have used it religiously on my own networks, recommended it to many clients and written about it extensively since. A Linux implementation of P-Synch was an obvious spinoff of the UNIX version. Even better, M-Tech has released a new version of P-Synch which adds several new features that make it more functional and easier to manage.

As you may have gathered from the comments above, P-Synch uses scripts to change passwords on all applications and machines you tell it to access. P-Synch accomplishes this by using either a native API or TELNET to log in to each machine or application one at a time, running whatever commands are necessary to modify the passwords. You specify only the password to change to (or to reset) and P-Synch runs through its list of targets in the background. Since only a single copy of P-Synch is required anywhere on the network, no client programs need to be installed on each machine. The user interface can be character-based, GUI or HTML. An administrator defines which machines and applications a user can modify passwords on, as well as more advanced options such as password aging.

Since P-Synch is script-based, it can change passwords on any machine or application that can be logged in to using TELNET or for which an API can be written. The list of M-Tech-provided scripts for operating systems is lengthy: Linux, many versions of UNIX, NetWare, Windows 95/98 and NT, LAN Manager, PathWorks, MVS and VMS. Application scripts available from M-Tech include Oracle, Sybase, SQL-Server, cc:Mail, MS-Mail, Exchange, GroupWise and GroupWare (including Lotus Notes). Scripts for other targets are starting to appear in Usenet newsgroups and on web pages, mostly written by P-Synch administrators.

The documentation for P-Synch may be downloaded from the M-Tech web site in PDF, PS or HTML formats. You can download uncompressed, ZIP or GZIP versions. The installation and configuration guide is about 260 pages long, but you will likely need to examine only a few pages to install P-Synch properly. Instead of printing the entire document, an Acrobat or PostScript viewer is best used to find those sections of interest. (Viewing on-line saves both time and paper.)

If you are running NIS (or a Windows-based alternative), P-Synch needs to run on the master. P-Synch will not function properly if installed on a client of an NIS master. (NIS does not allow administrative password changes from clients.) If you are not running NIS or a similar network-wide user management system, P-Synch can reside on any machine on the network. All machines must be running TCP/IP. P-Synch can coexist quite happily with NIS, handling the non-NIS targets only, if you prefer.

Prior to installing P-Synch, you must gather a list of the IP addresses of each machine on which P-Synch will change passwords. P-Synch requires root (or equivalent) access on each of these machines. It is handy to create a test account or two on the server and a few clients to make sure P-Synch is performing its tasks properly before trusting it to your network-wide password management. These test accounts can be deleted after testing or saved for other purposes. A complete installation takes about 4MB of disk space (noticeably down from the last version's requirement of 9MB).

Installing P-Synch takes only a few minutes; however, configuring for a network with several applications and operating systems can take a while longer. The usual installation procedure is to copy or download the files to your Linux machine and extract the files in the library (tar, gzip or zip). One such library file is called unix_srv.tar and contains binaries for all supported UNIX and Linux platforms. After extracting this tar file, an installation shell script is run which handles the file setup procedure. A manual check of a configuration file to ensure it has the proper location for the passwd file (by default, it assumes /etc/passwd) completes the file setup. P-Synch normally uses TCP port 106, but this can be changed if port 106 is in use by another service. To test the installation, a TELNET session to the TCP port should produce a password prompt, at which point the installation is finished. The installation guide contains a list of common problems encountered when setting up P-Synch and they should account for most Linux system configurations.

P-Synch uses a script called psynch.conf to manage password changes. Separate parts of the program control users changing their own passwords, as well as root changing any password. On Linux and UNIX systems, P-Synch modifies passwords directly by interaction with the passwd program, not through a script (which would provide a potential security hole). The psynch.conf script can be edited if necessary, which makes it easy to handle special requirements such as firewalls and proxies as well as encryption schemes that manage password files. For non-UNIX passwords, P-Synch's psynch.conf file must be modified to use a script for password changes. M-Tech provides a number of prewritten scripts for different operating systems as well as applications that reside on UNIX or Windows machines (such as Oracle, Lotus Notes and so on). Non-UNIX systems require changes to the inetd file, but these can be cut-and-pasted from M-Tech's documentation or scripts. Linux and UNIX versions of P-Synch require a login called psadmin, which is used by the server to verify that P-Synch agents on other machines are allowed to change passwords. The psadmin login should be set up so that it has no access privileges.

Our test network consisted of three Linux machines (two Red Hat and one Slackware), four that were SCO OpenServer or UnixWare and three Windows NT servers, along with twelve Windows 95/98 machines. The server applications were Oracle 8, Lotus Notes, Exchange, Novell GroupWise and SQL-Server (all on the Windows NT servers). On this network, installation and configuration of P-Synch took about two hours. Most of that time was spent setting up the non-Linux/non-UNIX password change routines, with about half an hour required to debug the various scripts. If you are working on a Linux-only network, the process will take less than ten minutes.

Once properly configured, users anywhere on the network could run the P-Synch routines to modify their own passwords. The HTML interface in particular is friendly and attractive. Users can specify which machines or applications the change affects, or accept all (the usual case). Administrators can change passwords from any client. The amount of time required for a password change depends on the network load, the number of targets and the nature of the operating systems. On our test network, the password changes went quickly, completing in under two minutes.

To test P-Synch with NIS, we set up one of the SCO machines as an NIS master and a Red Hat Linux system as the slave. We let NIS handle the password changes on half of the UNIX and Linux machines while P-Synch handled the rest of those types as well as the Windows machines. Propagation time for password changes didn't drop noticeably, which was expected since the Windows and application scripts are the major time consumers.

P-Synch is usually licensed to networks based on the number of users. M-Tech will customize the pricing plan to suit your requirements. Earlier versions of P-Synch cost about $10 per user; the latest version is likely to be similarly priced. If you don't want to worry about the password-changing hassle anymore, you'll find P-Synch to be a wonderful utility. It is fast, clean, easy to use and worth every penny. The benefits are multiplied many-fold on heterogenous networks. If you want more information about P-Synch, or want to download the application itself for evaluation, check out the M-Tech Web site at http://www.m-tech.ab.ca/. For the curious, a white paper describing P-Synch is available in Acrobat PDF and PostScript formats.