Restoring Linux user accounts (just the accounts, not data)

[Karl Auer]

TL;DR: I want to restore Unix accounts easily (just the accounts - not
data such as home directories). Can I just append passwd and shadow
lines saved from one server to the passwd and shadow files of another
server?

The details:

I run an OpenVPN server. It's actually a pair or servers - a
certificate server and a VPN server. The VPN server uses the
certificate server to generate and sign certificates. The certs and
keys generated are used to build credential packs which are distributed
to VPN users. Credentials consist of a .ovpn file, an MFA secret, a
username, and a password. The username and password are an ordinary
Unix login, which is checked by PAM before another PAM module deals
with the MFA side of things.

If either of these servers is lost, every user will need to be re-
issued with all those credentials, so obviously some kind of backup is
needed. It's complicated by the fact that the servers need to be
restored as a matching set. The amount of key material is tiny - a few
kilobytes per user at most - while backing up the two entire servers is
multiple gigabytes, most of which doesn't really need to be backed up
anyway because it's just the distro.

I have automated the creation of the matching set of servers, and have
simple export and import mechanism that can save all the key material
from both servers and can restore it very quickly. However, up until
now, restoring the related Unix logins has been a semi-manual process,
and because I do not record people's passwords, it has meant re-issuing 
passwords. This is obviously better than having to re-issue everything,
but it's very far from ideal.

So I want a way to preserve people's Unix credentials without having to
know their passwords, and I now have a plan! It is this plan that I am
seeking informed comment on.

My plan depends on the fact that the users' keys' basenames are the
Unix usernames. A scan through the stored keys will find all the
necessary usernames.

The plan for export is to copy (for each user name thus found) the
relevant line out of /etc/passwd and /etc/shadow, creating an export
passwd and and export shadow file containing only the VPN users'
entries (no system accounts etc). VPN users are simpler than real users
- they all belong to just one group, they have no home directories and
they have no login shells, so there is nothing more that needs
exporting.

The plan for import is three steps - firstly restore the key material
(that bit is working fine already), secondly delete any matching users
from the target system (userdel), and thirdly append the contents of
the two export passwd file and the export shadow file to /etc/passwd
and /etc/shadow respectively.

That second step would be a NOP on brand new servers, but an import
might be used to restore to an only slightly broken system. The second
step removes any wreckage, so to speak.

Because /etc/passwd doesn't contain any passwords, and /etc/shadow
contains only encrypted passwords, this seems to achieve the goal of
being able to restore Unix accounts, with their original passwords,
without having to know the passwords.

Initial experiments suggest that this works fine provided there are no
UID/GID conflicts, easily avoided by taking care when adding non-VPN
users. There are typically just one or two admins with non-VPN
accounts.

Can anyone see any problems with this plan that are likely to come back
to bite me?

Thanks, K.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D