From owner-freebsd-security Thu Mar 25 10:58:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.rapidsite.net (mail.rapidsite.net [207.158.192.62]) by hub.freebsd.org (Postfix) with SMTP id 0D53214DF0 for ; Thu, 25 Mar 1999 10:58:41 -0800 (PST) (envelope-from gryphon@intech.net) Received: from gw1.hway.net (207.158.192.37) by mail.rapidsite.net (RS ver 1.0.2) with SMTP id 607; Thu, 25 Mar 1999 13:58:16 -0500 (EST) Message-ID: <36FA884F.B2554229@intech.net> Date: Thu, 25 Mar 1999 14:02:39 -0500 From: Coranth Gryphon Reply-To: gryphon@hway.net X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: Andrew Hobson Cc: Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH References: <199903250426.UAA68023@apollo.backplane.com> <199903251833.KAA00915@apollo.backplane.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Loop-Detect: 1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At work we have about a hundred machines and we access them via > kerberos. Admins have accounts on all boxes. If we need to add or > remove a user, it's a bit of a pain to manually update the password > file on every machine. > > We're a bit concerned about doing it automatically, because if > something goes wrong, /etc/passwd might be corrupted or nonexistant. > I'm not a big fan of NIS. > At work we have about a hundred machines and we access them via > kerberos. Admins have accounts on all boxes. If we need to add or > remove a user, it's a bit of a pain to manually update the password > file on every machine. > > We're a bit concerned about doing it automatically, because if > something goes wrong, /etc/passwd might be corrupted or nonexistant. > I'm not a big fan of NIS. That 'doing something wrong' is always a concern, but very often the only solution is one where things entail some risk. If you can reduce that risk to being only "code is written properly", then that's about the best you can hope for. We have a similar setup. What we use for remote password maintenance is actually three step process. First, all login information is stored in a single secure repository (we use a SQL database on a carefully monitored machine). A single interace allows you to change the configuration information that gets distributed from this central source. This could just as easily be stored in flat files or by some other means. Then we have a program that generates the correct /etc/* files based upon information stored in the repository. This is a pretty straight forward script, the results of which can easily be verified. Finally, we use ssh/scp to distribute the generated files to the correct machines. If you can figure out how to represent the information you want to dist (ie. the source datamodel), then the rest is fairly straightforward. -coranth ---------------------------------------+---------------------------- Coranth Gryphon | Work Phone: 561-912-2497 Chief Architect, Hiway Technologies | #include ---------------------------------------+---------------------------- When all else fails, do the impossible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message