Date: Wed, 24 Feb 1999 22:27:35 -0700 From: Wes Peters <wes@softweyr.com> To: Chris Shenton <cshenton@uucom.com> Cc: GVB <gvbmail@tns.net>, freebsd-net@FreeBSD.ORG Subject: Re: RADIUS Solutions [synchronizing passwords across systems] Message-ID: <36D4DF47.EF9426F5@softweyr.com> References: <4.1.19990223102105.00adb730@abused.com> <86lnhnu83x.fsf@samizdat.uucom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Shenton wrote:
>
> GVB <gvbmail@tns.net> writes:
>
> > I will be running two FreeBSD machines for Radius Authentication.
> > Both using Meritt AAA and /etc/passwd for authentication. What is
> > the best way to synchronize passwd files between the two systems
> > immediatly (or 5 minute incriments) upon user adds and password
> > changes, etc. NIS? rsync? etc..
>
> I have a somewhat similar situation: FreeBSD passwords on the
> account-creation system need to be synchronized between the www/ftp
> box, smtp/pop/imap box, and radius servers.
>
> I wrote a script which uses "scp" to copy the master.password and
> group file into a temporary (secure) place on the target, then invokes
> makepwdb to convert that into the FreeBSD DB format.
> I run it from cron only once an hour at this point.
>
> I wanted to run the password-pushing script when the user changed
> their password, but my changing mechanism is a web form calling a CGI
> which talks to poppassd. This means that the "user" which would be
> running the pusher is "www" -- so anyone who could reach my web server
> could invoke the script, not something I'm happy with, lots of room
> for abuse. That's why I just run it periodically out of root's cron.
>
> I'm not entirely happy with this solution, but I wasn't too happy
> turning on NIS -- after avoiding it for five years. The FreeBSD NIS
> docs make it sounds like they've taken great care for NIS-sharing
> password-oriented files, but still... been burned by NIS security
> problems too many times in the past.
>
> I'd welcome other suggestions...
Write a little C program that monitors the password files and pushes the
changes automagically whenever the file has changed. Stat'ing the file
once a minute (or so) shouldn't hurt too much.
Alternative: implement a node monitor KLD. As Terry Lambert how to do
this; he may have some good ideas. This is something security monitors
have been wanting in UNIX for at least a decade.
--
Where am I, and what am I doing in this handbasket?
Wes Peters +1.801.915.2061
Softweyr LLC wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D4DF47.EF9426F5>