config management Re: [nycbug-talk] A couple of security related questions
Tue Oct 5 15:39:09 EDT 2004
On Tue, Oct 05, 2004 at 01:15:08PM -0400, George Georgalis wrote:
> On Mon, Oct 04, 2004 at 01:33:58PM -0600, Tillman Hodgson wrote:
> >Which was somewhat unsatisfying because I still had to pull down changes
> >from each box rather than centrally push them out. So I implemented a
> >Kerberos realm and used ClusterIt to enable parallel network shells to
> >do maintenance with.
> me wants to try Kerberos someday. don't think LDAP will make it into my
After using it for a year or two, I wrote the Keberos5 chapter of the
Handbook ... and I've been meaning to re-write it ever since ;-)
It's definitely an addictive technology. Very Unixish in the "lego
brick" sense. Currently I use Kerberos for authentication, NIS for
authorization & meta-data (the passwd field is set to 'krb5'), and IPsec
in transport mode to secure NIS. But I could rip out any given piece of
it and re-architect if necessary, or even build a gateway to other
authentication & authorization technologies. Very nice.
> >So I ended up at http://www.infrastructures.org/ and starting poking at
> >cfengine and other tools like that. The folks there have been working on
> >this very topic for a long time, and there's a lot of value in having
> >the dead-ends marked off with warning signs ;-)
> nice site. they have an interesting page on pushpull issues.
The mailing list is probably more important than the web site ...
> Which is a decent segue to my present issues.
... as the folks there talk about the issues you mention almost
When the center of the storm does not move, you are in its path.
- Ancient Fremen Wisdom
More information about the talk