Cold / warm spare for OpenBSD server
Hello! I administer multiple OpenBSD machines which have been backing up via tar and sftp. I do have one server that is mission critical that I'd like to move to a more "warm" backup, perhaps using rsync. I already have a second server with the same hardware and OpenBSD version that is in a cold state but currently it would take some time to rebuild from the backup tars if something happened to the main server. I see this project as having two different stages. Because I've installed a lot of ports and packages outside of the base install, stage one would involve installing the same rev of OpenBSD on the redundant machine and having rsync sync everything (binaries, config, etc.) from production to the redundant machine. Then stage two would pare down the rsync config to only sync the dynamic data, like /var/mail, /etc configuration files and that kind of thing. My questions: Stage 1: sync the two machines so are initially identical. When syncing everything from existing to redundant machine in stage 1, what directories wouldn't need to be / shouldn't be synced? I suspect that /dev and /mnt probably shouldn't be synced and probably don't need to be synced if the server hardware and OS version is the same between machines. Likewise kernel files like /boot and /bsd probably don't need to be synced either unless upgrading the kernel for security patches. Are there other directories that shouldn't be or don't need to be synced? Stage 2: sync mail, /etc/passwd, etc. on a regular basis between the machines I need to mirror /etc, /var/mail, and any other directories with dynamically changing data. I'm not so concerned about logs so I probably won't sync all of /var. Similar to my question above, are there other directories that would have commonly changed data that I should be backing up on a semi-regular basis? Is rsync the best way to keep two OpenBSD servers in close sync with each other? Is rsync a reasonable way to initially mirror the installed ports and packages and configuration data from one machine to another? And is there a better way to go about having 2 servers in sync, one "hot" and one "warm"? Thanks! Jeff
Re: Options for dealing with DES crypt password file
I appreciate the suggestion but yeah, LDAP is totally overkill here. There's really only this one server that needs access to the auth info in the passwd file, so LDAP wouldn't really help me.
Re: Options for dealing with DES crypt password file
I completely understand. The running chainsaw analogy is pretty accurate here. OpenBSD is as secure as it is because you all remove as many chainsaws as possible. We needed to update those hashes anyway someday. I just wasn't expecting that day to be today. Thanks again! From: Theo de Raadt Sent: Thursday, January 11, 2018 12:49:33 PM To: Jeff Zimmerman Cc: misc@openbsd.org Subject: Re: Options for dealing with DES crypt password file > I was hoping that there was some hidden switch somewhere that would turn > the classic crypt back on. No such luck. That'd be like leaving a running chainsaw on the floor at a daycare center. When something is dangerous, we get rid of it.
Re: Options for dealing with DES crypt password file
I know, I'm ashamed to say that yes, this machine has been running (behind a restrictive firewall) for all of these years. I was hoping that there was some hidden switch somewhere that would turn the classic crypt back on. No such luck. But thank you for the quick response. I've been using OpenBSD for a lot of years and really appreciate your efforts Theo, and the efforts of everyone associated with the project. From: Theo de Raadt Sent: Thursday, January 11, 2018 12:29:59 PM To: Jeff Zimmerman Cc: misc@openbsd.org Subject: Re: Options for dealing with DES crypt password file > I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes > in master.passwd. A majority of the passwords (hundreds) are old salted > DES crypt format. bummer > Am I correct in my research that everything but Blowfish was removed from > crypt() around OpenBSD 5.7? Are there any workarounds for me using the old > DES password hashes, or do we need to 'passwd ' for hundreds of users? There are no workarounds. The hashes cannot be reversed to make new passwords, and the legacy methods are removed intentionally because they are super weak You been running that on the internet? the shame!
Options for dealing with DES crypt password file
I've got an old server (OpenBSD 4.7 old) with a mixed bag of password hashes in master.passwd. A majority of the passwords (hundreds) are old salted DES crypt format. Am I correct in my research that everything but Blowfish was removed from crypt() around OpenBSD 5.7? Are there any workarounds for me using the old DES password hashes, or do we need to 'passwd ' for hundreds of users?