Restoring Linux user accounts (just the accounts, not data)

Robert Heller heller at deepsoft.com
Tue Jun 22 18:32:39 UTC 2021 

At Wed, 23 Jun 2021 04:15:30 +1000 kauer at biplane.com.au, "Ubuntu user technical support,? not for general discussions" <ubuntu-users at lists.ubuntu.com> wrote:

> 
> TL;DR: I want to restore Unix accounts easily (just the accounts - not
> data such as home directories). Can I just append passwd and shadow
> lines saved from one server to the passwd and shadow files of another
> server?

Yes, but make sure there are no duplicate UIDs and GIDs.  You will also need 
to update /etc/group as well.

> 
> The details:
> 
> I run an OpenVPN server. It's actually a pair or servers - a
> certificate server and a VPN server. The VPN server uses the
> certificate server to generate and sign certificates. The certs and
> keys generated are used to build credential packs which are distributed
> to VPN users. Credentials consist of a .ovpn file, an MFA secret, a
> username, and a password. The username and password are an ordinary
> Unix login, which is checked by PAM before another PAM module deals
> with the MFA side of things.
> 
> If either of these servers is lost, every user will need to be re-
> issued with all those credentials, so obviously some kind of backup is
> needed. It's complicated by the fact that the servers need to be
> restored as a matching set. The amount of key material is tiny - a few
> kilobytes per user at most - while backing up the two entire servers is
> multiple gigabytes, most of which doesn't really need to be backed up
> anyway because it's just the distro.
> 
> I have automated the creation of the matching set of servers, and have
> simple export and import mechanism that can save all the key material
> from both servers and can restore it very quickly. However, up until
> now, restoring the related Unix logins has been a semi-manual process,
> and because I do not record people's passwords, it has meant re-issuing 
> passwords. This is obviously better than having to re-issue everything,
> but it's very far from ideal.
> 
> So I want a way to preserve people's Unix credentials without having to
> know their passwords, and I now have a plan! It is this plan that I am
> seeking informed comment on.
> 
> My plan depends on the fact that the users' keys' basenames are the
> Unix usernames. A scan through the stored keys will find all the
> necessary usernames.
> 
> The plan for export is to copy (for each user name thus found) the
> relevant line out of /etc/passwd and /etc/shadow, creating an export
> passwd and and export shadow file containing only the VPN users'
> entries (no system accounts etc). VPN users are simpler than real users
> - they all belong to just one group, they have no home directories and
> they have no login shells, so there is nothing more that needs
> exporting.

You may also need information from /etc/group.  If each user is in their own 
group, you will need those lines from /etc/group (same basic procedure as for 
/etc/passwd and /etc/shadow), but if some people are in other groups (eg 
admin, sudo, dialout, and so on), you will need to cherry-pick that info and 
re-instate it.  One option is to just generate a script that uses usermod (man 
usermod) to manage that.  Save the generated script with the backup stub 
copies of /etc/passwd, /etc/shadow, and /etc/group, and after append the 
stubs, run the script to diddle /etc/group.

> 
> The plan for import is three steps - firstly restore the key material
> (that bit is working fine already), secondly delete any matching users
> from the target system (userdel), and thirdly append the contents of
> the two export passwd file and the export shadow file to /etc/passwd
> and /etc/shadow respectively.
> 
> That second step would be a NOP on brand new servers, but an import
> might be used to restore to an only slightly broken system. The second
> step removes any wreckage, so to speak.
> 
> Because /etc/passwd doesn't contain any passwords, and /etc/shadow
> contains only encrypted passwords, this seems to achieve the goal of
> being able to restore Unix accounts, with their original passwords,
> without having to know the passwords.
> 
> Initial experiments suggest that this works fine provided there are no
> UID/GID conflicts, easily avoided by taking care when adding non-VPN
> users. There are typically just one or two admins with non-VPN
> accounts.
> 
> Can anyone see any problems with this plan that are likely to come back
> to bite me?
> 
> Thanks, K.
> 
> 

-- 
Robert Heller             -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the ubuntu-users mailing list