From owner-freebsd-security  Thu Mar 25 10:45:36 1999
Delivered-To: freebsd-security@freebsd.org
Received: from computer.eng.mindspring.net (computer.eng.mindspring.net [207.69.192.185])
	by hub.freebsd.org (Postfix) with ESMTP id C106515045
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 10:45:34 -0800 (PST)
	(envelope-from ahobson@computer.eng.mindspring.net)
Received: (from ahobson@localhost)
          by computer.eng.mindspring.net (8.9.1/8.8.4)
	  id NAA10891; Thu, 25 Mar 1999 13:45:10 -0500 (EST)
From: Andrew Hobson <ahobson@eng.mindspring.net>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com> <kjzp51u1y6.fsf@computer.eng.mindspring.net> <199903251833.KAA00915@apollo.backplane.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: 25 Mar 1999 13:45:10 -0500
In-Reply-To: Matthew Dillon's message of "Thu, 25 Mar 1999 10:33:39 -0800 (PST)"
Message-ID: <kjg16ttnm1.fsf@computer.eng.mindspring.net>
Lines: 23
User-Agent: Gnus/5.070079 (Pterodactyl Gnus v0.79) XEmacs/21.0(beta65) (20)
X-Face: (e_H,)"'M4u!E!3"|XVHJ=[/_.:z73Z^oGf")[Payuf<O{r'0#<wNH7gYu11@i4Wt?GW$0"
 oC`,VQM?\@jqFD"%&H46Fi{9TpoTDsN:!3~C_^%Mo42*A1\v_#o/o$!CXeDB!=od8!{&=s'e%gdjZR
 ]XLr2%`tg,1"p".n9H+JF$`!Y|FLM[0D(eZW4!_6b48g+C}E<~Rd?(QD
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:

>     Provisioning for administrative accounts is easy.  We do it by hand.
>     Most employees only have access to one administrative machine.  Employees
>     are given access to other peripheral machines depending on their job.
>     Except for the one employee machine, these accounts do not have home
>     directories and the password field is '*' ( i.e. kerberos/ssh-only
>     access ).  Access is controlled through kerberos.

At work we have about a hundred machines and we access them via
kerberos.  Admins have accounts on all boxes.  If we need to add or
remove a user, it's a bit of a pain to manually update the password
file on every machine.

We're a bit concerned about doing it automatically, because if
something goes wrong, /etc/passwd might be corrupted or nonexistant.
I'm not a big fan of NIS.

I'm sure we can come up with an automated solution that will be
reasonably safe, but I was wondering how other people solved this
problem.

Drew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message