From owner-freebsd-net  Wed Feb 24 13:25:47 1999
Delivered-To: freebsd-net@freebsd.org
Received: from samizdat.uucom.com (samizdat.uucom.com [198.202.217.54])
	by hub.freebsd.org (Postfix) with ESMTP id 91179114C8
	for <freebsd-net@FreeBSD.ORG>; Wed, 24 Feb 1999 13:22:03 -0800 (PST)
	(envelope-from cshenton@uucom.com)
Received: (from cshenton@localhost)
	by samizdat.uucom.com (8.9.1/8.9.0) id KAA18213;
	Wed, 24 Feb 1999 10:36:18 -0500
To: GVB <gvbmail@tns.net>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: RADIUS Solutions [synchronizing passwords across systems]
References: <4.1.19990223102105.00adb730@abused.com>
From: Chris Shenton <cshenton@uucom.com>
Date: 24 Feb 1999 10:36:18 -0500
In-Reply-To: GVB's message of Tue, 23 Feb 1999 10:23:16 -0800
Message-ID: <86lnhnu83x.fsf@samizdat.uucom.com>
Lines: 31
X-Mailer: Gnus v5.5/Emacs 20.2
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

GVB <gvbmail@tns.net> writes:

> I will be running two FreeBSD machines for Radius Authentication.
> Both using Meritt AAA and /etc/passwd for authentication.  What is
> the best way to synchronize passwd files between the two systems
> immediatly (or 5 minute incriments) upon user adds and password
> changes, etc.  NIS? rsync? etc..

I have a somewhat similar situation: FreeBSD passwords on the
account-creation system need to be synchronized between the www/ftp
box, smtp/pop/imap box, and radius servers. 

I wrote a script which uses "scp" to copy the master.password and
group file into a temporary (secure) place on the target, then invokes
makepwdb to convert that into the FreeBSD DB format.
I run it from cron only once an hour at this point.

I wanted to run the password-pushing script when the user changed
their password, but my changing mechanism is a web form calling a CGI
which talks to poppassd. This means that the "user" which would be
running the pusher is "www" -- so anyone who could reach my web server
could invoke the script, not something I'm happy with, lots of room
for abuse. That's why I just run it periodically out of root's cron.

I'm not entirely happy with this solution, but I wasn't too happy
turning on NIS -- after avoiding it for five years. The FreeBSD NIS
docs make it sounds like they've taken great care for NIS-sharing
password-oriented files, but still... been burned by NIS security
problems too many times in the past.

I'd welcome other suggestions...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message