[OpenAFS] Distributing passwd

[John Rudd]

On Thursday, Jun 12, 2003, at 14:39 US/Pacific, Derek Atkins wrote:

> Nathan Neulinger <nneul@umr.edu> writes:
>> If not, faking the master will get you root on the client.
>
> Of course.. Similar with Hesiod.. or LDAP.. or....

Which is why we based our account system on a periodic, kerberos based, 
file transfer when I was at cygnus.  We were particularly fanatic about 
avoiding NIS.  At UCSC, we use a combination of "passwd file copied 
into/out of AFS space" and "Hesiod on some machines".

For LDAP, are there any nss-ldap modules that support using SSL/TLS 
with client-side certificates?  That would allow you to give each host 
a client certificate for the SSL-LDAP requests, and keep a matching 
server cert on the servers.  If it can be set up properly, then a 
forged server would fail the SSL/TLS handshake.  If you can't, then 
perhaps you could fake this by having clients use localhost for their 
nss-ldap server, and then run stunnel out to the actual server.  
Stunnel will do client+server certificate authentication on your 
SSL/TLS session.  Either way, that also gives you encrypted data.

I personally hope to get some project time for investigating the 
auto-cvs (using gssapi for authentication) + cfengine method, but that 
wont happen until after the summer (though, one of my peers, who also 
reads this list, is looking over cfengine right now ... maybe I can 
convince him to do look at the cvs part, too).  Does anyone see any 
potential issues with that?  (I don't recall if cvs with gssapi 
actually encrypts the data or just the auth part)