> Now that we are increasing the number of hosts that are in our Kerberos
> realm, one thought comes to mind: the current method for managing srvtabs
> really bites.
>
> Specifically, the thought of doing "ark host/foo", "xst foo host", etc etc,
> a billion times is giving me screaming nightmares.
>
> I am wondering what larger sites do w.r.t. srvtab management. Are there
> any custom scripts that people use? Do people actually change the keys
> in the srvtabs, or do they leave them at the initial value?
A co-worker of mine wrote a utility called shkbob, which works with the ADM
administration server in use here. The way it works (correct me if I goof,
Rob?) is each principal for which instances can be created has a set of ACLs
controlling things like who can create and delete instances. You can log into a
random machine as a user with said privilege, run shkbob, and it uses rxkad
crypt to secure a connection the ADM server, which creates a key and passes it
back to you. Ideally, you log into said machine on console.
> > On Wed, 14 Aug 1996, Ken Hornstein wrote:
>
> :
> : And as a site note, how many people _really_ use a floppy/tape
drive/whatever
> : to send the srvtab to various machines, and how many people just ftp it
> : over in the clear? I know that the stuff in the srvtabs should never go
> : in the clear, but since you only do it once ...
> :
> : --Ken
> :
>
> Then of course the one part people often forget is that when the go and
> remotely backup / on their systems it goes across in the clear again, and
> again, and again.... (This should be documented!)
Any workstations which we back up use Amanda for backups, and we have it
configured to encrypt dumps of / as they go over the network, at least.
-D
