HPE Community
Operating System - HP-UX
1834232 Members
2666 Online
110066 Solutions
New Discussion

Trusted Systems and Remote Distribution

 
Ryan B
Frequent Advisor

‎11-04-2002 08:12 AM

‎11-04-2002 08:12 AM

Trusted Systems and Remote Distribution

We are currently using rdist to replicate user accounts and passwords between our systems and it works well for our environment. However, has anyone used rdist in a trusted systems environment? If so, does it work, any issues, etc...??

Thank you
Your help is appreciate
-Lay
0 Kudos
Reply
3 REPLIES 3
Ken Hubnik_2
Honored Contributor

‎11-04-2002 08:34 AM

‎11-04-2002 08:34 AM

Re: Trusted Systems and Remote Distribution

I have periodically replaced the password file on the fly without any problem on a trusted system. I would suggest setting this up on a development server and saving a copy of the original password file and trying it for awhile before moving forward.
0 Kudos
Reply
Keith Buck
Respected Contributor

‎11-04-2002 11:56 AM

‎11-04-2002 11:56 AM

Re: Trusted Systems and Remote Distribution

rdist is a clear-text protocol. As such, it is possible for any network user to monitor any data being transmitted. Thus, if you are concerned enough about the confidentiality of passwords to convert to a trusted system, you probably don't want to send them over the network in clear-text.

If you're going to do something like this, I'd recommend at least using an authenticated, encrypted protocol. I don't know of anything which has the same use model as rdist, but it wouldn't be too hard to craft something using ssh and friends. For example, you could do something like this:

Install HP-UX Secure Shell on all machines.

on 'server':

ssh-keygen -d

# list of clients
clients="client1 client2 client3"

# distribute keys
for client in $clients; do
cat ~/.ssh/id_dsa.pub |
ssh root@$client "
cat >> ~/.ssh/authorized_keys2
chmod 644 ~/.ssh/authorized_keys2
"
done

< type in 'yes' and root's password on each machine...make sure your network is safe during this time >


Now, to distribute your account info, you can do (on 'server'):

for client in $clients; do
scp -r /tcb /etc/passwd root@$client:/
done

as often as you'd like (this assumes that you've converted to trusted at some point). The entire tcb directory structure will be copied over.

This has a couple of problems, especially when it comes to account expiration. If people don't log into 'server', then their account will expire on all the clients (oops...)

Note that I wrote this on the fly and it hasn't been tested, so you'd want to try it on some test systems first.

Another alternative is LDAP-UX, but I don't have any personal experience with it. It's made for managing stuff like this.

Hope that helps.

-Keith
0 Kudos
Reply
Ryan B
Frequent Advisor

‎11-07-2002 11:27 AM

‎11-07-2002 11:27 AM

Re: Trusted Systems and Remote Distribution

I will have to look into and test the thoughts on security. Thanks for the help.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.