From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:22:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59FA37B401 for ; Tue, 27 May 2003 12:22:21 -0700 (PDT) Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net [207.115.63.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0811B43F75 for ; Tue, 27 May 2003 12:22:21 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9]) h4RJMJJ9014316 for ; Tue, 27 May 2003 15:22:19 -0400 From: Michael Collette To: FreeBSD Security Date: Tue, 27 May 2003 12:21:32 -0700 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305271221.32061.metrol@metrol.net> Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:22:22 -0000 On Tuesday 27 May 2003 12:10 pm, Andy Harrison wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > On 27-May-2003, Michael Collette wrote message "Re: multihost master.passwd > sync" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > Why not just preconfigure SSH keys between the boxes and scp the file > > across? Seems like a lot of extra work to bring PGP into the mix. > > Because we don't allow root login remotely, mandated from above. Assuming both machines have their clocks sync'd, two crons. One to pass the file across via an admin/non-root user. The second cron to move the file, change permissions and whatever else you need to do. Just a thought. I tend to do fair amount of scp kind of stuff, so I'm just rather partial to it is all. > > Personally, I'm real curious about utilizing an LDAP backend to replace > > NIS. Read a bit about it, but haven't had a chance to play with it just > > yet. It sounds like a far more elegant solution for what you're looking > > to do as well. Assuming it all works as advertised that is. > > The problem is that while it allows authentication, it doesn't integrate > seamlessly allowing you to own files as a user that only exists in the > ldap. I'm really curious as to what you mean by this. Like I said, I've only scratched the surface concerning LDAP authentication. What doesn't integrate? I thought that was the PAM_LDAP port was supposed to handle? If you get the chance, I'd really appreciate a fuller description of why LDAP isn't a suitable solution for you. I'm trying to get a better handle on the pros and cons of that approach. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein