---In message <x73cuuorn9.fsf@capsicum.wsrcc.com>

>What do those folks do for cron-based rdist-ing of files from their
>main server to the other machines on their net?

I do not rdist from cron, but i do rdist using Kerberize rsh.

Others have reported that "rsh -x /bin/foo" leaves "/bin/foo" in the clear
across the network.  For my applications, i don't mind this.

 From my perspective, the benefit of Kerberized rdist is i use my current
krb5 credentials to do an rdist.  With ssh, i believe my choices would
involve either typing my password each rdist (or maybe even once per
machine, per rdist) or permanently leaving RSA/DSA keys in place on the
rdist targets.

  Ssh with "permanent" keys seems less safe than Kerberos credentials,
because the kerb. credentials will expire in less than 12 hours.

Last i heard, the ssh.com version of ssh will use existant and valid
Kerberos credentials, without challenging you for the password. (OpenSSH
does Kerberos authentication, but will not accept credentials.)

 So, theoretically, with ssh.com's ssh, you could use it with
rdist/sdist/rsync to do updates, without having to enter a password
for each update.  And, of course, ssh.com's ssh is free to use on *BSD.


 To do an unattended rdist with Kerberized rsh, the easiest way would be
to stash credentials in a srvtab file, and kinit using the stash just
before the rdist, and then kdestroy afterwards.

For more information on this, see the man pages for:

kadmin
ktutil
kinit

 --johan