Date: Thu, 25 Mar 1999 10:33:39 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Andrew Hobson <ahobson@eng.mindspring.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <199903251833.KAA00915@apollo.backplane.com> References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com> <kjzp51u1y6.fsf@computer.eng.mindspring.net>
next in thread | previous in thread | raw e-mail | index | archive | help
:> us to configure a crypted root password in the password file
:> good for logging into the console, but useless if stolen and
:> decrypted. All other accounts have '*' for their password (
:> i.e. ssh+kerberos logins only).
:
:How do you handle updating the password files on all machines when you
:need to add or remove a user? Do you have any automated process?
:
:Drew
Well, the provisioning for customer accounts is totally automated using
code I wrote for BEST.
Provisioning for administrative accounts is easy. We do it by hand.
Most employees only have access to one administrative machine. Employees
are given access to other peripheral machines depending on their job.
Except for the one employee machine, these accounts do not have home
directories and the password field is '*' ( i.e. kerberos/ssh-only
access ). Access is controlled through kerberos.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903251833.KAA00915>