config management Re: [nycbug-talk] A couple of security related questions

Tillman Hodgson tillman
Tue Oct 5 15:39:09 EDT 2004

On Tue, Oct 05, 2004 at 01:15:08PM -0400, George Georgalis wrote:
> On Mon, Oct 04, 2004 at 01:33:58PM -0600, Tillman Hodgson wrote:
> >Which was somewhat unsatisfying because I still had to pull down changes
> >from each box rather than centrally push them out. So I implemented a
> >Kerberos realm and used ClusterIt to enable parallel network shells to
> >do maintenance with.
> me wants to try Kerberos someday. don't think LDAP will make it into my
> systems.

After using it for a year or two, I wrote the Keberos5 chapter of the
Handbook ... and I've been meaning to re-write it ever since ;-)

It's definitely an addictive technology. Very Unixish in the "lego
brick" sense. Currently I use Kerberos for authentication, NIS for
authorization & meta-data (the passwd field is set to 'krb5'), and IPsec
in transport mode to secure NIS. But I could rip out any given piece of
it and re-architect if necessary, or even build a gateway to other
authentication & authorization technologies. Very nice.

> >So I ended up at and starting poking at
> >cfengine and other tools like that. The folks there have been working on
> >this very topic for a long time, and there's a lot of value in having
> >the dead-ends marked off with warning signs ;-)
> nice site. they have an interesting page on pushpull issues.

The mailing list is probably more important than the web site ...

> Which is a decent segue to my present issues.

... as the folks there talk about the issues you mention almost
exclusively :-)


When the center of the storm does not move, you are in its path.
	- Ancient Fremen Wisdom

More information about the talk mailing list