Jan Parcel wrote: >> I don't understand the advantage of diff vs. -newer. The latter is >> simpler so why not use it? My suggested workaround also deals with the >> case where the copy doesn't exist yet. >> > > diff would correct a bad copy that is more recent than the original > > >> As you've noted, the /etc/shadow file in the labeled zones is not used >> by the desktop software. Just for remote login, e.g. ssh. So, while not >> a perfect workaround, it is likely to satisfy the customer. Ultimately >> the customer should be using ldap to keep passwords in sync. >> > > Does ldap work with ssh? > It should, but I can't confirm that. This is really a PAM configuration issue since sshd isn't supposed to anything different in this case of ldap authentication. > Customers who want ssh often want it because ipsec for TX is not implemented. > So some customers tell me that ssh is only method of getting encrypted > traffic. I have no idea if that is the issue with this cu. > Yes, that seems likely.
--Glenn
