[nycbug-talk] Do you guys/gals _____ify your _____ boxes?

[Brian Cully]

On 18-May-2009, at 15:31, Matt Juszczak wrote:

> Do you guys/gals cfengineify your cfengine boxes?

	When I set up cfengine I clone the complete contents of the box to  
every other box it manages. Thus any box can become any box with the  
flip of a switch, including the cfengine master. This methodology  
would probably apply to puppet itself.

> Do you guys/gals ldapify your ldap boxes?

	I don't use LDAP, but I do use Kerberos, and in that case, no, I do  
not use Kerberos to manage access to the Kerberos server. I have no  
real reason for this except that it assuages my security related  
anxiety and if there's some issue with Kerberos I still need to get  
access to that box somehow.

	FWIW, I consider my auth boxen to require the most restrictive kinds  
of security. I don't even put telnet/ssh on them. If they have issues  
you either need physical access or some other kind of highly secure  
back channel to get into them and deal with it, so in that sense the  
question doesn't even apply: you can't use Kerberos to auth non- 
existent services.

-bjc