Date: 04 Mar 1998 12:09:35 +0100 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: "Greg Stringfellow" <greg@prismnet.com> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: Distributed Passwords Message-ID: <8790qqyaog.fsf@devnull.ruhr.de> In-Reply-To: "Greg Stringfellow"'s message of "Mon, 2 Mar 1998 16:03:29 -0600" References: <000601bd4627$08d83d60$a8fde6cd@maverick.prismnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Greg Stringfellow" <greg@prismnet.com> writes:
> Used to be, when I had 500 customers my simple scripts for passing password
> information via SSH from computer to computer worked great. Now that I've
> got a few more customers (just one or two:) I want to either find possible a
> better alternative to copying or maybe better scripts before I go and
> re-invent the wheel.
What about a multi-level update? The main box sends it to some
secondary machines each of which forwards it to another set of
machines.
> Only problem with this method is that you have only a single point
> to change passwd information. No good if that machine goes down.
That's not too much of a problem compared to NIS or such: True enough,
people can't change their passwords then, but otherwise the remaining
machines stay up.
If you do that multilevel approach each "leaf" machine could receive
its update from two (or even more) of the secondaries. Even if one of
the secondaries fails all leaves are properly updated.
> I've though about NIS, but it seems like I could be burned reall good with
> this one.
Yes. Read some specs, use a packet sniffer and you'll immediately
uninstall it.
NIS is a Good Thing[TM] in a highly cooperative environment where you
don't really expect any malicious activities. Everywhere else you
better stay away from it.
> So I was hoping that maybe somebody here might have some suggestions or
> examples they could share on this subject.
No examples, sorry.
> Are there other secure
> alternatives to copying the master.passwd file between all machine?
Suns NIS+ appears to be a good one. Unfortunately it doesn't seem to
be supported by any system except Solaris...
> Does
> somebody have a turnkey script they would like to share?
No, sorry. But one more note about that approach above: If you don't
want an unprotected ~root/.ssh/identity on your master machine it
helps to initiate the transfer from a "top security" machine where
users can't log in. Something like that:
1. secure machine (with unprotected ~rot/.ssh/identity but no regular
users) copies /etc/*passwd* from the main machine.
2. secure machine forwards the copied /etc/*passwd* to the
secondaries.
3. the secondaries forward the files to the leaf machines.
But this may be a bit too paranoid already.
Ben
--
Ben(edikt)? Stockebrand --- Un*x system administrator looking for a job
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8790qqyaog.fsf>