From owner-freebsd-security  Thu Mar 25  5:35:51 1999
Delivered-To: freebsd-security@freebsd.org
Received: from computer.eng.mindspring.net (computer.eng.mindspring.net [207.69.192.185])
	by hub.freebsd.org (Postfix) with ESMTP id F20A614BDB
	for <freebsd-security@freebsd.org>; Thu, 25 Mar 1999 05:35:49 -0800 (PST)
	(envelope-from ahobson@computer.eng.mindspring.net)
Received: (from ahobson@localhost)
          by computer.eng.mindspring.net (8.9.1/8.8.4)
	  id IAA08947; Thu, 25 Mar 1999 08:35:30 -0500 (EST)
From: Andrew Hobson <ahobson@eng.mindspring.net>
To: freebsd-security@freebsd.org
Subject: Re: Kerberos vs SSH
References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: 25 Mar 1999 08:35:29 -0500
In-Reply-To: Matthew Dillon's message of "Wed, 24 Mar 1999 20:26:12 -0800 (PST)"
Message-ID: <kjzp51u1y6.fsf@computer.eng.mindspring.net>
Lines: 20
User-Agent: Gnus/5.070079 (Pterodactyl Gnus v0.79) XEmacs/21.0(beta65) (20)
X-Face: (e_H,)"'M4u!E!3"|XVHJ=[/_.:z73Z^oGf")[Payuf<O{r'0#<wNH7gYu11@i4Wt?GW$0"
 oC`,VQM?\@jqFD"%&H46Fi{9TpoTDsN:!3~C_^%Mo42*A1\v_#o/o$!CXeDB!=od8!{&=s'e%gdjZR
 ]XLr2%`tg,1"p".n9H+JF$`!Y|FLM[0D(eZW4!_6b48g+C}E<~Rd?(QD
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 24 Mar 1999 20:26:12 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:

>     This is what BEST.COM does.  We also disallow passworded root
>     logins except on the console ( even w/ ssh ), and use the
>     kerberos 'ksu' command to control access to root.  This allows
>     us to configure a crypted root password in the password file
>     good for logging into the console, but useless if stolen and
>     decrypted.  All other accounts have '*' for their password (
>     i.e. ssh+kerberos logins only).

How do you handle updating the password files on all machines when you 
need to add or remove a user?  Do you have any automated process?

Drew
-- 
begin 644 ahobson@mindspring.com.booby.trap.yes.it.is.gzipped.twice.gz.gz
M'XL(`/*U^C`"`Y/OYF!XN?67`1/SVX.,O`P,#(<6V+V7OR#'I\$P"D;!*!@%
HHV`4C()1,`I&P2@8!:-@%(P"$'APET'ED<H7!DY;!@`$55!J2`\``$;!
` My God, it's full of stars
end


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message