[957] in linux-security and linux-alert archive
Re: [linux-security] Alternative to NIS
daemon@ATHENA.MIT.EDU (Benedikt Stockebrand)
Thu Jul 25 05:06:10 1996
Date: Wed, 24 Jul 1996 11:52:33 +0200
From: Benedikt Stockebrand <benedikt@devnull.ruhr.de>
To: boyd@interdim.com
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <Pine.GSO.3.94.960722170759.2806B-100000@insanity.interdim.com>
(boyd@interdim.com)
Eric M. Boyd <boyd@interdim.com> wrote:
| Everywhere I look security wise, people say to stay away from NIS because
| it's very insecure, and that NIS+ isn't much better. Does anyone have any
| suggestions as to a replacement to use?
This is how I'd do it next time I'd run more than two or three
machines:
Keep ``master copies'' of all config files on one, well-protected
``config server'' machine. Install ssh on all machines to replace
rsh/rcp/rlogin. Install rdist (make sure it uses rsh and not rdistd,
so best compile it yourself) and use it to distribute copies of the
master config files to the target machines. That way you'll only have
to deal with the master copies on a single machine.
If you generate your config files (using subst, m4 or whatever) from
some host-independent templates it may be a good idea to use a
makefile that takes care of running rdist as well. Using a crontab
entry to distribute the files may be useful too. If you can't be sure
if all machines are acutally up when you run rdist that may be a
reasonable thing to do anyway.
I'm currently running only my own two machines at home and haven't
tried the whole thing yet. I also haven't checked if rdist really
execs rsh (according to the docs it does) so please watch your steps.
And maybe tell us about your experience.
There's a clumsier approach using FTP to transfer PGP'ed tar files to
do the same thing, but it seems way inferior in about all respects.
Ben
--
Benedikt (Ben) Stockebrand Runaway ping.de sysadmin
Dortmund, Germany --- Never ever trust old friends ---
My name and email address are not to be added to any list used for the
purpose of advertising. By sending unsolicited advertisement e-mail
to this address, the sender implicitly agrees to pay a DM 500 fee to
the recipient for proofreading services.