From owner-freebsd-security  Fri Mar 26  2:58:10 1999
Delivered-To: freebsd-security@freebsd.org
Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121])
	by hub.freebsd.org (Postfix) with ESMTP id DDECD14EA1
	for <freebsd-security@FreeBSD.ORG>; Fri, 26 Mar 1999 02:58:05 -0800 (PST)
	(envelope-from narvi@haldjas.folklore.ee)
Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged))
          by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP
	  id MAA06926; Fri, 26 Mar 1999 12:57:40 +0200 (EET)
Date: Fri, 26 Mar 1999 12:57:40 +0200 (EET)
From: Narvi <narvi@haldjas.folklore.ee>
To: Andrew Hobson <ahobson@eng.mindspring.net>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Kerberos vs SSH
In-Reply-To: <kjg16ttnm1.fsf@computer.eng.mindspring.net>
Message-ID: <Pine.BSF.3.96.990326125648.5291A-100000@haldjas.folklore.ee>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On 25 Mar 1999, Andrew Hobson wrote:

> On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:
> 
> >     Provisioning for administrative accounts is easy.  We do it by hand.
> >     Most employees only have access to one administrative machine.  Employees
> >     are given access to other peripheral machines depending on their job.
> >     Except for the one employee machine, these accounts do not have home
> >     directories and the password field is '*' ( i.e. kerberos/ssh-only
> >     access ).  Access is controlled through kerberos.
> 
> At work we have about a hundred machines and we access them via
> kerberos.  Admins have accounts on all boxes.  If we need to add or
> remove a user, it's a bit of a pain to manually update the password
> file on every machine.
> 
> We're a bit concerned about doing it automatically, because if
> something goes wrong, /etc/passwd might be corrupted or nonexistant.
> I'm not a big fan of NIS.
> 
> I'm sure we can come up with an automated solution that will be
> reasonably safe, but I was wondering how other people solved this
> problem.

You might have a look at Hesiod. I have considered it once or twice, but
have never had the time to implement it. 

There is a port in the ports collection

> 
> Drew
> 
	Sander

	There is no love, no good, no happiness and no future -
	all these are just illusions.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message