From owner-freebsd-stable  Sun Aug 12 18:30:39 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from maxim.gbch.net (gw.gbch.net [203.24.22.66])
	by hub.freebsd.org (Postfix) with SMTP id D360337B401
	for <freebsd-stable@FreeBSD.ORG>; Sun, 12 Aug 2001 18:30:34 -0700 (PDT)
	(envelope-from gjb@gbch.net)
Received: (qmail 98320 invoked by uid 1001); 13 Aug 2001 11:30:25 +1000
Message-ID: <nospam-997666225.98319@maxim.gbch.net>
X-Posted-By: GJB-Post 2.21 16-Jun-2001
X-Operating-System: FreeBSD 4.2-RELEASE i386
X-Location: Brisbane, Australia; 27.49841S 152.98439E
X-URL: http://www.gbch.net/gjb.html
X-Image-URL: http://www.gbch.net/gjb/gjb-auug048.gif
X-GPG-Fingerprint: EBB2 2A92 A79D 1533 AC00  3C46 5D83 B6FB 4B04 B7D6
X-PGP-Public-Keys: http://www.gbch.net/keys.html
Date: Mon, 13 Aug 2001 11:30:25 +1000
From: Greg Black <gjb@gbch.net>
To: "diesel" <diesel@bsdvault.net>
Cc: "'Jonathan M. Slivko'" <jslivko@blinx.net>,
	"'Erik Sabowski'" <airyk@sabowski.dhs.org>,
	freebsd-stable@FreeBSD.ORG
Subject: Re: Any way to have multiple machines share a single passwd file? 
References: <001001c1233f$dcb5d360$0400000a@zen> 
In-reply-to: <001001c1233f$dcb5d360$0400000a@zen> 
	of Sun, 12 Aug 2001 11:02:51 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

"diesel" wrote:

| You should check out the latest article on http://bsdvault.net .  It
| details how to set up a password push to all your hosts from a master
| host.  

That article does not give very useful advice, since the scripts
it shows explicitly manage only /etc/master.passwd -- and that
file has no control at all over who can login.  If the bad guys
have compromised the real password file (/etc/spwd.db), then it
won't help at all.  For this to be useful, it should also make
sure to regenerate /etc/spwd.db or take some other step to
ensure it is in sync with the master.passwd file.

The other problem that it ignores is legitimate password changes
by users on the "protected" hosts -- these will be clobbered by
the method shown.

Back to the drawing board, I think.  And this is off-topic for
this list.  Take it to questions if there's more to be said.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message