[TCLUG] Any Problems I should know about

[Chad C. Walstrom]

On Tue, Nov 27, 2001 at 01:34:44PM -0600, Troy.A Johnson wrote:
> You have some decisions to make.

...[snip Troy's great answer]...

TIP #1

    Run a firewall and block all netbios and windows traffic going in or
    out.  If people want to share Workgroups, they can install VPN
    software and do it manually themselves.

WINDOWS SCOPE

    My take on it is this.  If you're running a mixed environment behind
    a firewall, turn off the encrypted (hashed) passwords in the Windows
    registries and give yourself a break on account management.   The
    so-called Windows encryption is nothing more than hashing the
    password before passing it to the server.  This buys no real
    security, so shutting it off is no big deal.  If shutting it off
    allows you greater flexibility with account management w/o having to
    delve into Kerberose, go for it.
    
*NIX SCOPE    

    If you have multiple *NIX machines, push the passwd files around
    w/scp and write a simple passwd wrapper script that opens an ssh
    connection for the user to the master passwd server.

        #! /bin/sh -e
        #
        # SSH Wrapper to passwd binary on hostA.mydomain.tld
        #   -- a.k.a.  The easy part
        #
        SSH=/usr/bin/ssh
        USER=${USER-:$(whoami)}
        SVR=hostA.mydomain.tld
        
        $SSH ${USER}@${SVR} /bin/passwd

        # The script will (should) exit with the error code given by
        # passwd as it cascades from ssh.
        # EOF

    Then, all you need to do is fire off a cron job every ${interval} to
    examine the last modified time of /etc/passwd to determine whether
    or not you want to push out a new file to all the servers.  Push it
    out w/either scp or rsync over ssh.  
    
    ACK, this is the hard part.  I started to write out what I thought
    would be a good push script.  It turns out that you're going to have
    to worry about locking semantics.  You want to lock or copy
    /etc/shadow before you start pushing it out, otherwise your sync
    script won't be in sync any longer.  Bash just doesn't cut it any
    more in that case.

    cfengine seems to handle locking symantics well, and can use both a
    "pull" or "push" model. (I just read the info again.)  There's a
    number of other very useful things you can do with cfengine, even if
    you're only managing a small number of boxes.

    Anywya, back to work.

-- 
Chad Walstrom <chewie at wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr
Get my public key, ICQ#, etc. $(mailx -s 'get info' chewie at wookimus.net)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011204/882b56eb/attachment.pgp