From owner-freebsd-security@FreeBSD.ORG  Tue May 27 12:23:43 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0281837B401
	for <FreeBSD-Security@FreeBSD.org>;
	Tue, 27 May 2003 12:23:43 -0700 (PDT)
Received: from pimout3-ext.prodigy.net (pimout3-ext.prodigy.net
	[207.115.63.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EA6DC43F3F
	for <FreeBSD-Security@FreeBSD.org>;
	Tue, 27 May 2003 12:23:41 -0700 (PDT)
	(envelope-from metrol@metrol.net)
Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])
	h4RJNeJ9030596
	for <FreeBSD-Security@FreeBSD.org>; Tue, 27 May 2003 15:23:41 -0400
From: Michael Collette <metrol@metrol.net>
To: FreeBSD Security <FreeBSD-Security@FreeBSD.org>
Date: Tue, 27 May 2003 12:22:53 -0700
User-Agent: KMail/1.5.2
References: <XFMail.20030527151057.ah60@httpsite.com>
	<3ED3BA9B.5020008@centtech.com>
In-Reply-To: <3ED3BA9B.5020008@centtech.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200305271222.53532.metrol@metrol.net>
Subject: Re: multihost master.passwd sync
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2003 19:23:43 -0000

Hey, that was my post! :)

On Tuesday 27 May 2003 12:20 pm, Eric Anderson wrote:
> Andy Harrison wrote:
> >>Why not just preconfigure SSH keys between the boxes and scp the file
> >> across? Seems like a lot of extra work to bring PGP into the mix.
> >
> > Because we don't allow root login remotely, mandated from above.
>
> so you scp the file to a directory owned by a user designated to only do
> this function.. then have a cron job that fires up every so often that
> snags that file and updates the running master.passwd file..
>
> >>Personally, I'm real curious about utilizing an LDAP backend to replace
> >> NIS. Read a bit about it, but haven't had a chance to play with it just
> >> yet.  It sounds like a far more elegant solution for what you're looking
> >> to do as well.  Assuming it all works as advertised that is.
> >
> > The problem is that while it allows authentication, it doesn't integrate
> > seamlessly allowing you to own files as a user that only exists in the
> > ldap.
>
> Huh?  Explain more please..
>
> Eric

-- 
"Always listen to experts.  They'll tell you what can't be done, and why.  
Then do it."
- Robert A. Heinlein