From owner-freebsd-security  Thu Mar 25 10:51:31 1999
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
	by hub.freebsd.org (Postfix) with ESMTP id E4C1614EDF
	for <freebsd-security@FreeBSD.ORG>; Thu, 25 Mar 1999 10:51:07 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id KAA01406;
	Thu, 25 Mar 1999 10:50:47 -0800 (PST)
	(envelope-from dillon)
Date: Thu, 25 Mar 1999 10:50:47 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199903251850.KAA01406@apollo.backplane.com>
To: Andrew Hobson <ahobson@eng.mindspring.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com> <kjzp51u1y6.fsf@computer.eng.mindspring.net> <199903251833.KAA00915@apollo.backplane.com> <kjg16ttnm1.fsf@computer.eng.mindspring.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


:
:On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:
:
:>     Provisioning for administrative accounts is easy.  We do it by hand.
:>     Most employees only have access to one administrative machine.  Employees
:>     are given access to other peripheral machines depending on their job.
:>     Except for the one employee machine, these accounts do not have home
:>     directories and the password field is '*' ( i.e. kerberos/ssh-only
:>     access ).  Access is controlled through kerberos.
:
:At work we have about a hundred machines and we access them via
:kerberos.  Admins have accounts on all boxes.  If we need to add or
:remove a user, it's a bit of a pain to manually update the password
:file on every machine.
:
:We're a bit concerned about doing it automatically, because if
:something goes wrong, /etc/passwd might be corrupted or nonexistant.
:I'm not a big fan of NIS.
:
:I'm sure we can come up with an automated solution that will be
:reasonably safe, but I was wondering how other people solved this
:problem.
:
:Drew

    It's pretty easy to write a script to manipulate the password file, 
    especially if you are not entering any encrypted passwords ( i.e. leaving
    that field '*' ).  If you are worried about messing it up, just have cron
    backup the password file once a day or something like that.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message