From owner-freebsd-security@FreeBSD.ORG Sat Sep 25 14:02:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165DD16A4CE for ; Sat, 25 Sep 2004 14:02:48 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4191B43D1D for ; Sat, 25 Sep 2004 14:02:47 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from gothmog.gr (patr530-a233.otenet.gr [212.205.215.233]) i8PE2h2v013931; Sat, 25 Sep 2004 17:02:44 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id i8PE2gVg078557; Sat, 25 Sep 2004 17:02:42 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id i8PE2gWl078556; Sat, 25 Sep 2004 17:02:42 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Sat, 25 Sep 2004 17:02:42 +0300 From: Giorgos Keramidas To: Steve Shorter Message-ID: <20040925140242.GB78219@gothmog.gr> References: <20011107211316.A7830@nomad.lets.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011107211316.A7830@nomad.lets.net> Phone: +30-2610-312145 Mobile: +30-6944-116520 X-Mailman-Approved-At: Sun, 26 Sep 2004 16:08:09 +0000 cc: freebsd-security@freebsd.org cc: dwbear75@gmail.com Subject: Re: sharing /etc/passwd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 14:02:48 -0000 On 2001-11-07 21:13, Steve Shorter wrote: > On Wed, Nov 07, 2001 at 07:02:09PM -0700, David Bear wrote: > > I need to sync /etc/passwd and /etc/group among multiple machines. I was > > thinking ldap would be a good method but am concerned about > > > > 1) the most secure way to do it > > 2) the most stable > > 3) things I don't know about this but should... > > > > any pointers to man pages/docs would be appreciated. > > Hmm... how about rsync? /usr/ports/net/rsync > -steve After reading a nice paper by Val Henson[1] I'm not so sure I'd trust sensitive information like password data to rsync without making sure that compare-by-hash is disabled if at all possible. There are other ways to use a common authentication server, shared by many machines. Kerberos and NIS or NIS+ are good examples. At least better than a ``blind copy'' of password files with rsync. Giorgos. --- References --- [1] Val Henson, "An Analysis of Compare-by-hash". In Proceedings of "HotOS IX: The 9th Workshop on Hot Topics in Operating Systems", pp. 13-18. [ http://www.nmt.edu/~val/review/hash.html ]