From owner-freebsd-security@FreeBSD.ORG  Tue May 27 12:02:37 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B4A0437B401
	for <FreeBSD-Security@FreeBSD.org>;
	Tue, 27 May 2003 12:02:37 -0700 (PDT)
Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net
	[207.115.63.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB2E743F3F
	for <FreeBSD-Security@FreeBSD.org>;
	Tue, 27 May 2003 12:02:34 -0700 (PDT)
	(envelope-from metrol@metrol.net)
Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])
	h4RJ2Wl8020516
	for <FreeBSD-Security@FreeBSD.org>; Tue, 27 May 2003 15:02:33 -0400
From: Michael Collette <metrol@metrol.net>
To: FreeBSD Security <FreeBSD-Security@FreeBSD.org>
Date: Tue, 27 May 2003 12:01:40 -0700
User-Agent: KMail/1.5.2
References: <XFMail.20030527143041.ah60@httpsite.com>
In-Reply-To: <XFMail.20030527143041.ah60@httpsite.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200305271201.40742.metrol@metrol.net>
Subject: Re: multihost master.passwd sync
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2003 19:02:38 -0000

On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> On 27-May-2003, Amit K. Rao wrote message "Re: multihost master.passwd
> sync" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> > NIS  [yp(8)]  ?
>
> Lord no...  even if you setup a backup nis server, an ailing master server
> can really screw up your day.
>
> I think I thought of a solution though.  root cronjob to pgp encrypt the
> file, change perms so that it can be accessed by a user that is allowed to
> copy the file to the target host.  The file is in encrypted using the
> public key of root the target machine, so only root on the target will be
> able to pgp extract the file.

Why not just preconfigure SSH keys between the boxes and scp the file across?  
Seems like a lot of extra work to bring PGP into the mix.

Personally, I'm real curious about utilizing an LDAP backend to replace NIS.  
Read a bit about it, but haven't had a chance to play with it just yet.  It 
sounds like a far more elegant solution for what you're looking to do as 
well.  Assuming it all works as advertised that is.

Later on,
-- 
"Always listen to experts.  They'll tell you what can't be done, and why.  
Then do it."
- Robert A. Heinlein