config management Re: [nycbug-talk] A couple of security related questions
Tillman Hodgson
tillman
Tue Oct 5 15:39:09 EDT 2004
On Tue, Oct 05, 2004 at 01:15:08PM -0400, George Georgalis wrote:
> On Mon, Oct 04, 2004 at 01:33:58PM -0600, Tillman Hodgson wrote:
> >Which was somewhat unsatisfying because I still had to pull down changes
> >from each box rather than centrally push them out. So I implemented a
> >Kerberos realm and used ClusterIt to enable parallel network shells to
> >do maintenance with.
>
> me wants to try Kerberos someday. don't think LDAP will make it into my
> systems.
After using it for a year or two, I wrote the Keberos5 chapter of the
Handbook ... and I've been meaning to re-write it ever since ;-)
It's definitely an addictive technology. Very Unixish in the "lego
brick" sense. Currently I use Kerberos for authentication, NIS for
authorization & meta-data (the passwd field is set to 'krb5'), and IPsec
in transport mode to secure NIS. But I could rip out any given piece of
it and re-architect if necessary, or even build a gateway to other
authentication & authorization technologies. Very nice.
> >So I ended up at http://www.infrastructures.org/ and starting poking at
> >cfengine and other tools like that. The folks there have been working on
> >this very topic for a long time, and there's a lot of value in having
> >the dead-ends marked off with warning signs ;-)
>
> nice site. they have an interesting page on pushpull issues.
The mailing list is probably more important than the web site ...
> Which is a decent segue to my present issues.
... as the folks there talk about the issues you mention almost
exclusively :-)
-T
--
When the center of the storm does not move, you are in its path.
- Ancient Fremen Wisdom
More information about the talk
mailing list