From owner-freebsd-isp Wed Mar 4 12:34:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA20172 for freebsd-isp-outgoing; Wed, 4 Mar 1998 12:34:56 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA20114 for ; Wed, 4 Mar 1998 12:34:49 -0800 (PST) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id VAA14635; Wed, 4 Mar 1998 21:11:08 +0100 (MET) Received: from rm.devnull.ruhr.de [192.168.22.75] by devnull.ruhr.de with smtp (Exim 1.73 #1) id 0yABvE-0000L1-00; Wed, 4 Mar 1998 12:01:12 +0100 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.73 #1) id 0yAC3M-0000FE-00; Wed, 4 Mar 1998 12:09:36 +0100 To: "Greg Stringfellow" Cc: Subject: Re: Distributed Passwords References: <000601bd4627$08d83d60$a8fde6cd@maverick.prismnet.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 04 Mar 1998 12:09:35 +0100 In-Reply-To: "Greg Stringfellow"'s message of "Mon, 2 Mar 1998 16:03:29 -0600" Message-ID: <8790qqyaog.fsf@devnull.ruhr.de> Lines: 65 X-Mailer: Gnus v5.5/XEmacs 20.3 - "Vatican City" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Greg Stringfellow" writes: > Used to be, when I had 500 customers my simple scripts for passing password > information via SSH from computer to computer worked great. Now that I've > got a few more customers (just one or two:) I want to either find possible a > better alternative to copying or maybe better scripts before I go and > re-invent the wheel. What about a multi-level update? The main box sends it to some secondary machines each of which forwards it to another set of machines. > Only problem with this method is that you have only a single point > to change passwd information. No good if that machine goes down. That's not too much of a problem compared to NIS or such: True enough, people can't change their passwords then, but otherwise the remaining machines stay up. If you do that multilevel approach each "leaf" machine could receive its update from two (or even more) of the secondaries. Even if one of the secondaries fails all leaves are properly updated. > I've though about NIS, but it seems like I could be burned reall good with > this one. Yes. Read some specs, use a packet sniffer and you'll immediately uninstall it. NIS is a Good Thing[TM] in a highly cooperative environment where you don't really expect any malicious activities. Everywhere else you better stay away from it. > So I was hoping that maybe somebody here might have some suggestions or > examples they could share on this subject. No examples, sorry. > Are there other secure > alternatives to copying the master.passwd file between all machine? Suns NIS+ appears to be a good one. Unfortunately it doesn't seem to be supported by any system except Solaris... > Does > somebody have a turnkey script they would like to share? No, sorry. But one more note about that approach above: If you don't want an unprotected ~root/.ssh/identity on your master machine it helps to initiate the transfer from a "top security" machine where users can't log in. Something like that: 1. secure machine (with unprotected ~rot/.ssh/identity but no regular users) copies /etc/*passwd* from the main machine. 2. secure machine forwards the copied /etc/*passwd* to the secondaries. 3. the secondaries forward the files to the leaf machines. But this may be a bit too paranoid already. Ben -- Ben(edikt)? Stockebrand --- Un*x system administrator looking for a job To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message