From owner-freebsd-net Wed Feb 24 21:29:15 1999 Delivered-To: freebsd-net@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 57DB414F08 for ; Wed, 24 Feb 1999 21:29:12 -0800 (PST) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id VAA08214; Wed, 24 Feb 1999 21:27:47 -0800 (PST) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id VAA16498; Wed, 24 Feb 1999 21:27:46 -0800 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id WAA23992; Wed, 24 Feb 1999 22:27:42 -0700 Message-ID: <36D4DF47.EF9426F5@softweyr.com> Date: Wed, 24 Feb 1999 22:27:35 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Chris Shenton Cc: GVB , freebsd-net@FreeBSD.ORG Subject: Re: RADIUS Solutions [synchronizing passwords across systems] References: <4.1.19990223102105.00adb730@abused.com> <86lnhnu83x.fsf@samizdat.uucom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris Shenton wrote: > > GVB writes: > > > I will be running two FreeBSD machines for Radius Authentication. > > Both using Meritt AAA and /etc/passwd for authentication. What is > > the best way to synchronize passwd files between the two systems > > immediatly (or 5 minute incriments) upon user adds and password > > changes, etc. NIS? rsync? etc.. > > I have a somewhat similar situation: FreeBSD passwords on the > account-creation system need to be synchronized between the www/ftp > box, smtp/pop/imap box, and radius servers. > > I wrote a script which uses "scp" to copy the master.password and > group file into a temporary (secure) place on the target, then invokes > makepwdb to convert that into the FreeBSD DB format. > I run it from cron only once an hour at this point. > > I wanted to run the password-pushing script when the user changed > their password, but my changing mechanism is a web form calling a CGI > which talks to poppassd. This means that the "user" which would be > running the pusher is "www" -- so anyone who could reach my web server > could invoke the script, not something I'm happy with, lots of room > for abuse. That's why I just run it periodically out of root's cron. > > I'm not entirely happy with this solution, but I wasn't too happy > turning on NIS -- after avoiding it for five years. The FreeBSD NIS > docs make it sounds like they've taken great care for NIS-sharing > password-oriented files, but still... been burned by NIS security > problems too many times in the past. > > I'd welcome other suggestions... Write a little C program that monitors the password files and pushes the changes automagically whenever the file has changed. Stat'ing the file once a minute (or so) shouldn't hurt too much. Alternative: implement a node monitor KLD. As Terry Lambert how to do this; he may have some good ideas. This is something security monitors have been wanting in UNIX for at least a decade. -- Where am I, and what am I doing in this handbasket? Wes Peters +1.801.915.2061 Softweyr LLC wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message