From owner-freebsd-security Thu Mar 25 10:34: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 4999E14D1D for ; Thu, 25 Mar 1999 10:34:00 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA00915; Thu, 25 Mar 1999 10:33:39 -0800 (PST) (envelope-from dillon) Date: Thu, 25 Mar 1999 10:33:39 -0800 (PST) From: Matthew Dillon Message-Id: <199903251833.KAA00915@apollo.backplane.com> To: Andrew Hobson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> us to configure a crypted root password in the password file :> good for logging into the console, but useless if stolen and :> decrypted. All other accounts have '*' for their password ( :> i.e. ssh+kerberos logins only). : :How do you handle updating the password files on all machines when you :need to add or remove a user? Do you have any automated process? : :Drew Well, the provisioning for customer accounts is totally automated using code I wrote for BEST. Provisioning for administrative accounts is easy. We do it by hand. Most employees only have access to one administrative machine. Employees are given access to other peripheral machines depending on their job. Except for the one employee machine, these accounts do not have home directories and the password field is '*' ( i.e. kerberos/ssh-only access ). Access is controlled through kerberos. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message