I have been wondering if there is a better way to manage user accounts across multiple servers.

At the moment, I have a main user account (e.g. 'user') on my home/dev machine, and for each server I manually create that same 'user' account. Then I use rsync to copy my .ssh directory and any other directories I want to each new server.

While this seems OK for managing the 2 servers I currently manage, I cannot imagine doing the same thing for 10+ servers, and was wondering what the best way to go about this was.


Ricky Hewitt
  • 183
  • 1
  • 1
  • 4

4 Answers4


There are two popular approaches

  • You either setup central authentication (ldap, nis).
  • You setup a configuration management system (puppet,chef,cfengine, shell script) to automatically create accounts, and configure the environment on all your managed systems.

Central authentication systems are good when all the systems are all under the control of the same organization. It tends to be necessary when you have lots of users, and when will need to use the authentication for many things behind just logging in.

The configuration management way is good if you generally just need to setup a small number of remote admin accounts, and service accounts.

  • 128,755
  • 40
  • 271
  • 413
  • @OP For what it's worth. I'd highly advise the former option. Don't use puppet for this. It can become a total pain and a minefield of exceptions and special cases, even if you don't think it will initially. Use ldap, nis, etc. It's what they're for. – Sirex Sep 13 '12 at 23:24
  • @Sirex, there are some use cases for a configuration management system over a central authentication. I manage lots of linux boxes other peoples networks. Joining them all to a single directory simply is not an option, but I do need to maintain a few accounts common to all the systems. I do agree that you should prefer a central authentication system if it will work for you. – Zoredache Sep 13 '12 at 23:29
  • And use LDAP if at all possible. As an Admin who's responsible for managing a large NIS network and figuring out ways of getting new services' SSO systems to work on this network, it's a royal pain. – Magellan Sep 13 '12 at 23:47
  • @Zoredache, can you elaborate on how to mount user home directories via LDAP info as well as managing sudo privs with it? – Mike Pennington Sep 14 '12 at 17:47

For smaller/simpler deployments, a project called Internet Account Replication (IAR) could help. It has a simple server-client architecture and synchronises the credentials using SSH.

  • 2,334
  • 1
  • 13
  • 17
  • Interesting, though I notice no activity for a while? Though based on the idea, I'm pondering distributing files for nss-extrausers using synctool or similar: http://walterdejong.github.io/synctool/ – Steve Dee Sep 12 '18 at 17:42

I would also add to Zoredache's answer that NIS is not the way to go for anything used by more than a few people or including any public access. There's quite a few quirks to NIS and it's very easy to introduce significant security risk to NIS.

I've seen implementations where the password hashes are included in the passwd user mappings.

It's also rather easy to inject a malicious server onto an NIS network that is broadcasting. Especially hazardous with the password hashes included in the passwd map. Install an Ubuntu box, ''apt-get install nis'', and you're in and can get a list of users on the network.

  • 4,431
  • 3
  • 29
  • 53

Solving this problem is what NIS was invented for.

Ansgar Wiechers
  • 4,197
  • 2
  • 17
  • 26
  • 8
    Well, yes. It may have been invented for that. But the 1980s called and they want their directory service back. – Magellan Sep 13 '12 at 23:36