Davor Ocelic <[EMAIL PROTECTED]> writes: >> 2. Do we really need separate identities for separate machines? My >> understanding was that the whole service/[EMAIL PROTECTED] convention >> was for preventing man-in-the-middle attacks for things like >> kerberized telnet. If we're only using kerberos in order to >> support AFS, I don't know if it's really necessary. > > We use kerberos for everything?
I'm having trouble parsing this. We don't use kerberos for: http, telnet, pop3/imap, or (AFAICT) any TCP-based protocol. As far as I can tell, we use it only for PAM and AFS. I'm okay with it staying this way; anything that needs to check user passwords should be using PAM. >> Also, if we go with a single user per service across all hosts, >> we can give it the same userid in /etc/passwd and pts, >> eliminating the ID>1000 stuff. > > How would that affect Debian postinst scripts that do something like > 'adduser --system mysql' ? When debian postinst scripts create users, we would need to pass the appropriate "-id" flag to pts when creating the corresponding user. But since debian creates 10<ID<1000 and we've left pts identities 10..1000 unused, there will be no problem. > However I'd like to see as much simplification as possible, so if you > don't think we'll ever need this functionality, ... And you cou could also > clarify the note about kerberos from above.. Definately. - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
