Date: Mon, 5 Mar 2001 22:39:44 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "T. William Wells" <bill@twwells.com> Cc: <freebsd-questions@freebsd.org> Subject: RE: SUN TO BSD Message-ID: <001501c0a608$3ae7e8c0$1401a8c0@tedm.placo.com> In-Reply-To: <E14aANZ-000NkN-00@twwells.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Bill, I hope you don't mind me CCing the list on the response, I'm doing it in case someone else is scratching their head wondering why I advocated such an odd approach. I've actually done a few of these Slowlaris migrations myself. The first one I did attempt it your way, by constructing this script thingie to do it without the necessity of a manual intervention with a spreadsheet. Well, I was very unhappy to discover this nice little present that Sun left the UNIX administrators that work on Slowlaris - their password tools do NOT check the password files consistency! vipw is the biggest offender, but there's others. The result of this was that I had a Solaris box where the first 300-500 lines between the regular and the shadow file were in phase, then there was a missing entry from the shadow and for a couple hundred more lines they were out of phase, then there were 2 missing entries from the regular and they were out of phase the other direction, etc. Don't ask me how this system worked at all, but it had been running apparently for years in this state! Authentication for all users worked, and the only thing that didn't work was finger - invariably fingering a user would return that the user didn't exist. Of course I figured all this out later, after spending several hours discovering that this even could happen at all. You could imagine what a pissed-off state I was in by then. Since then I don't trust raw Slowlaris password files any further than I can spit a rat, and I always do a visual inspection of all the entries. A spreadsheet is the quickest way to do a visual inspection and can be used to merge the two files. Even going through 10K entries in a spreadsheet shouldn't take more than 15 minutes or so, you don't after all have to read every single line. You might think it's error-prone but your going to have a lot of work to add all the consistency checking into a migration script, and by the time you finish debugging a script to do this my way is a lot quicker. Also, even if you do make up a script to do this, if the script blows the whistle on an inconsistent Slowlaris password file, your still going to have to go digging around in it with vipw to fix the problem. Still, I'd be interested in anything that you do have that's more intelligent than a "grab-n-mash with the assumption that the Slowlaris password files are consistent to start with" Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: T. William Wells [mailto:bill@twwells.com] >Sent: Monday, March 05, 2001 9:51 PM >To: Ted Mittelstaedt >Subject: Re: SUN TO BSD > > >join, comm, sort, cut, and paste > >This combination of tools will do all the below, *without* the >necessity of manual, and therefor error prone, checking of order >and identity. > >Better yet, it can all be packaged in a script..... > >> In order to migrate the Solaris password file to the FreeBSD system, >> ... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501c0a608$3ae7e8c0$1401a8c0>