From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:11:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49CCC37B405 for ; Tue, 27 May 2003 12:11:04 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8527843F3F for ; Tue, 27 May 2003 12:11:03 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJB2l8045814 for ; Tue, 27 May 2003 15:11:02 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:10:14 -0700 User-Agent: KMail/1.5.2 References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> In-Reply-To: <3ED3B6D8.8000103@centtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271210.14893.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:11:04 -0000 On Tuesday 27 May 2003 12:04 pm, Eric Anderson wrote: > Michael Collette wrote: > > On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: > > [..snip..] > > >>>NIS [yp(8)] ? > >> > >>Lord no... even if you setup a backup nis server, an ailing master > >> server can really screw up your day. > >> > >>I think I thought of a solution though. root cronjob to pgp encrypt the > >>file, change perms so that it can be accessed by a user that is allowed > >> to copy the file to the target host. The file is in encrypted using the > >> public key of root the target machine, so only root on the target will > >> be able to pgp extract the file. > > > > Why not just preconfigure SSH keys between the boxes and scp the file > > across? Seems like a lot of extra work to bring PGP into the mix. > > > > Personally, I'm real curious about utilizing an LDAP backend to replace > > NIS. Read a bit about it, but haven't had a chance to play with it just > > yet. It sounds like a far more elegant solution for what you're looking > > to do as well. Assuming it all works as advertised that is. > > I've started this exact process - replacing my NIS gunk with LDAP.. Not > too far through yet, but I'll try to keep good notes for anyone else who > may want them.. > > Eric FYI, O'Reilley has a fairly new book out concerning this topic. I've only scratched the surface of it thus far, but it's the best I've seen on this topic thus far. I was doing some real serious shopping for an LDAP book a couple of months ago. Anyhow, what I'm talking about... http://www.oreilly.com/catalog/ldapsa/ Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein