From owner-freebsd-security@FreeBSD.ORG Tue May 27 12:34:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD2D837B405 for ; Tue, 27 May 2003 12:34:04 -0700 (PDT) Received: from dart.sr.se (dart.SR.SE [134.25.0.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6760743FBD for ; Tue, 27 May 2003 12:34:03 -0700 (PDT) (envelope-from gunnar@oldie.sr.se) Received: from honken.sr.se (honken.sr.se [134.25.128.27]) by dart.sr.se (8.12.6p2/8.12.6) with ESMTP id h4RJY0wv069440; Tue, 27 May 2003 21:34:00 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (oldie [134.25.200.100]) by honken.sr.se (8.12.3p2/8.12.3) with ESMTP id h4RJY0VT029739; Tue, 27 May 2003 21:34:00 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (localhost [127.0.0.1]) by oldie.sr.se (8.12.9/8.12.9) with ESMTP id h4RJXxF7006189; Tue, 27 May 2003 21:33:59 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: (from gunnar@localhost) by oldie.sr.se (8.12.9/8.12.9/Submit) id h4RJXxrM006188; Tue, 27 May 2003 21:33:59 +0200 (CEST) Date: Tue, 27 May 2003 21:33:59 +0200 From: Gunnar Flygt To: Eric Anderson Message-ID: <20030527193359.GA6125@sr.se> References: <200305271201.40742.metrol@metrol.net> <3ED3B6D8.8000103@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3ED3B6D8.8000103@centtech.com> User-Agent: Mutt/1.4.1i cc: FreeBSD Security Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gunnar Flygt List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 19:34:05 -0000 On Tue, May 27, 2003 at 02:04:56PM -0500, Eric Anderson wrote: > Michael Collette wrote: > >On Tuesday 27 May 2003 11:30 am, Andy Harrison wrote: > [..snip..] > >>>NIS [yp(8)] ? > >> > >>Lord no... even if you setup a backup nis server, an ailing master server > >>can really screw up your day. > >> > >>I think I thought of a solution though. root cronjob to pgp encrypt the > >>file, change perms so that it can be accessed by a user that is allowed to > >>copy the file to the target host. The file is in encrypted using the > >>public key of root the target machine, so only root on the target will be > >>able to pgp extract the file. > > > > > >Why not just preconfigure SSH keys between the boxes and scp the file > >across? Seems like a lot of extra work to bring PGP into the mix. > > > >Personally, I'm real curious about utilizing an LDAP backend to replace > >NIS. Read a bit about it, but haven't had a chance to play with it just > >yet. It sounds like a far more elegant solution for what you're looking > >to do as well. Assuming it all works as advertised that is. > > I've started this exact process - replacing my NIS gunk with LDAP.. Not > too far through yet, but I'll try to keep good notes for anyone else who > may want them.. I've installed 5.1-beta on a box that should do nss_ldap, so that I don't have to setup any users directly on that server. The ldap server will be in the corporate network, and the 5.1-RELEASE in a DMZ as ftp-server. I'm interested in all input I can get, to get the whole thing going. > > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Attitudes are contagious, is yours worth catching? > ------------------------------------------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Gunnar Flygt OPC Data Sveriges Radio