Subject: Re: pseudo-shadowing of passwords with ypserv?
To: Keith Moore <firstname.lastname@example.org>
From: David Holland <email@example.com>
Date: 10/08/1998 18:47:06
> > rdist over ssh? It's not quite drop-in, but it's pretty easy to set up.
> > (would be nice to get some out-of-the-box support for it though sometime.)
> Copying the passwd file to all hosts doesn't scale very well
> for even moderate numbers of users or hosts.
Even a 10,000 user password file is well under a megabyte. Keeping
this on each machine just doesn't strike me as a particularly large
problem. And that's generally considered a large number of users.
Updating it to a couple of hundred machines *might* saturate the
network for a few minutes at 5 am or some other time nobody's doing
anything critical. If you use rsync, it wouldn't take even that.
> It's also a pain
> to keep all of the password files current in the presence of host
> and network failures,
This is precisely what rdist is for.
> and to deal with each system's different
> way of storing shadow password files.
And this is a couple of small awk scripts.
> And we'd still need
> something like yppasswd (with something better than "privileged
> ports" for authentication) to let people change their passwords.
% cat /usr/local/bin/passwd
exec ssh centralhost "passwd $*"
Salt to taste.
> > Nothing anyone does to YP will ever really be more than a bandaid.
> granted. If I had the luxury of replacing all of the "login" programs
> on all of the systems, I'd start with Kerberos and work up from there.
> Meanwhile, a bandaid would do a lot to thwart this very common kind of
Kerberos is far from an ideal solution itself.
- David A. Holland | (please continue to send non-list mail to
firstname.lastname@example.org | email@example.com. yes, I moved.)