From owner-freebsd-net Wed Feb 24 22:15:30 1999 Delivered-To: freebsd-net@freebsd.org Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (Postfix) with ESMTP id 2F36514CEE for ; Wed, 24 Feb 1999 22:15:27 -0800 (PST) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id BAA12898; Thu, 25 Feb 1999 01:14:04 -0500 (EST) Date: Thu, 25 Feb 1999 01:14:04 -0500 (EST) From: spork X-Sender: spork@super-g.inch.com To: Chris Shenton Cc: GVB , freebsd-net@FreeBSD.ORG Subject: Re: RADIUS Solutions [synchronizing passwords across systems] In-Reply-To: <86lnhnu83x.fsf@samizdat.uucom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Merit Radius does allow for crypted passwords in the 'users' file, so it is pretty easy to grab the wanted UIDS (generally based on group), mush them through a script and end up with a usable users file. This way you're not needing to make actual accounts on all of your machines other than for staffers. This has been working really well for us so far on our backup auth server. Charles --- Charles Sprickman spork@super-g.com On 24 Feb 1999, Chris Shenton wrote: > GVB writes: > > > I will be running two FreeBSD machines for Radius Authentication. > > Both using Meritt AAA and /etc/passwd for authentication. What is > > the best way to synchronize passwd files between the two systems > > immediatly (or 5 minute incriments) upon user adds and password > > changes, etc. NIS? rsync? etc.. > > I have a somewhat similar situation: FreeBSD passwords on the > account-creation system need to be synchronized between the www/ftp > box, smtp/pop/imap box, and radius servers. > > I wrote a script which uses "scp" to copy the master.password and > group file into a temporary (secure) place on the target, then invokes > makepwdb to convert that into the FreeBSD DB format. > I run it from cron only once an hour at this point. > > I wanted to run the password-pushing script when the user changed > their password, but my changing mechanism is a web form calling a CGI > which talks to poppassd. This means that the "user" which would be > running the pusher is "www" -- so anyone who could reach my web server > could invoke the script, not something I'm happy with, lots of room > for abuse. That's why I just run it periodically out of root's cron. > > I'm not entirely happy with this solution, but I wasn't too happy > turning on NIS -- after avoiding it for five years. The FreeBSD NIS > docs make it sounds like they've taken great care for NIS-sharing > password-oriented files, but still... been burned by NIS security > problems too many times in the past. > > I'd welcome other suggestions... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message