Date: 25 Mar 1999 13:45:10 -0500 From: Andrew Hobson <ahobson@eng.mindspring.net> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kerberos vs SSH Message-ID: <kjg16ttnm1.fsf@computer.eng.mindspring.net> In-Reply-To: Matthew Dillon's message of "Thu, 25 Mar 1999 10:33:39 -0800 (PST)" References: <Pine.GSO.4.10.9903251409300.17330-100000@primrose.isrc.qut.edu.au> <199903250426.UAA68023@apollo.backplane.com> <kjzp51u1y6.fsf@computer.eng.mindspring.net> <199903251833.KAA00915@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 Mar 1999 10:33:39 -0800 (PST), Matthew Dillon <dillon@apollo.backplane.com> said: > Provisioning for administrative accounts is easy. We do it by hand. > Most employees only have access to one administrative machine. Employees > are given access to other peripheral machines depending on their job. > Except for the one employee machine, these accounts do not have home > directories and the password field is '*' ( i.e. kerberos/ssh-only > access ). Access is controlled through kerberos. At work we have about a hundred machines and we access them via kerberos. Admins have accounts on all boxes. If we need to add or remove a user, it's a bit of a pain to manually update the password file on every machine. We're a bit concerned about doing it automatically, because if something goes wrong, /etc/passwd might be corrupted or nonexistant. I'm not a big fan of NIS. I'm sure we can come up with an automated solution that will be reasonably safe, but I was wondering how other people solved this problem. Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?kjg16ttnm1.fsf>