Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Mar 1999 10:50:47 -0800 (PST)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Andrew Hobson <ahobson@eng.mindspring.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Kerberos vs SSH
Message-ID:  <199903251850.KAA01406@apollo.backplane.com>
References:  <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com> <kjzp51u1y6.fsf@computer.eng.mindspring.net> <199903251833.KAA00915@apollo.backplane.com> <kjg16ttnm1.fsf@computer.eng.mindspring.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

:
:On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said:
:
:>     Provisioning for administrative accounts is easy.  We do it by hand.
:>     Most employees only have access to one administrative machine.  Employees
:>     are given access to other peripheral machines depending on their job.
:>     Except for the one employee machine, these accounts do not have home
:>     directories and the password field is '*' ( i.e. kerberos/ssh-only
:>     access ).  Access is controlled through kerberos.
:
:At work we have about a hundred machines and we access them via
:kerberos.  Admins have accounts on all boxes.  If we need to add or
:remove a user, it's a bit of a pain to manually update the password
:file on every machine.
:
:We're a bit concerned about doing it automatically, because if
:something goes wrong, /etc/passwd might be corrupted or nonexistant.
:I'm not a big fan of NIS.
:
:I'm sure we can come up with an automated solution that will be
:reasonably safe, but I was wondering how other people solved this
:problem.
:
:Drew

    It's pretty easy to write a script to manipulate the password file, 
    especially if you are not entering any encrypted passwords ( i.e. leaving
    that field '*' ).  If you are worried about messing it up, just have cron
    backup the password file once a day or something like that.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903251850.KAA01406>