This sounds interesting. What would you replace krb5 with, if you don't
mind me asking? I was contemplating krb5, but the setup and such is a
pain for me (because I am not familiar with it). I'll probably wind up
rolling something custom with LDAP and YP mappings thrown in.
On 1/4/2015 2:26 AM, David Gwynne wrote:
On 2 Jan 2015, at 9:52 pm, Brian Empson <br...@teamhandbanana.com> wrote:
I'm looking into a way to sync up group and user information across a network
of OpenBSD machines. I like YP, except that I don't need the password hashes
transferred across the network. I like that it's built right into the base
install, are there better ways to handle synchronizing login details across
multiple machines that is built into the base install? Preferably written by
the OpenBSD team, too?
while not directly answering your question, i can say openbsd can do this kind
of stuff without yp on the wire.
at work i use ypldap to get user/group information from active directory. we
populate the rfc2307 attributes on our users and groups to make them useful on
unix systems. we use the single directory as a name service backend for
openbsd, solaris, linux, and windows (of course).
we're still using krb5 for password authentication. i really have to fix that.
we've also augmented the AD schema to store users ssh keys in the directory
too. sshd gets access to them via AuthorizedKeysCommand and a perl script. this
allows ssh key based single sign on across all our unixish systems, even if
their home directories are not available on the system. this is useful for
providing services over ssh. an example of such a service we provide is svn and
git on a dedicated server. all our users are on the system via ypldap, and they
can auth using their own username and either a password or ssh key.
dlg
