On Sat, Sep 05, 2009 at 07:43:04PM +0200, soko.tica wrote:
> On 9/4/09, Joachim Schipper <joac...@joachimschipper.nl> wrote:
> > I'm inclined to question your "should",
>
> My intention is just to give a try to Kerberos. If a few lines of
> elaboration is not too inconvenient to you, It would be great to read
> it.
It's very good to be familiar with Kerberos, so trying it out is a very
good idea.
But getting a full LDAP/Kerberos infrastructure going is still a lot of
work. OpenBSD now finally has ypldap(8), which removes one of the
biggest reasons to stay away from such a design, but it's still a
complex setup. And the worst part: since the system administrator *must*
be able to log in even if Kerberos is down, it won't help you at all.
And since you are on a small network with a limited amount of users, it
simply doesn't seem all that useful. Why don't you just keep a single
"master" /etc/master.passwd file and send that to all hosts? (Do look at
pwd_mkdb(8) first.)
This is not to knock Kerberos - it's actually pretty nice - and not to
dissuade you from experimenting with it - which is actually a pretty
good idea - but I would like to point out that you are going to need to
keep your own username and password in sync across all hosts without the
help of Kerberos anyway, so for computers that only have administrators
accessing them, it doesn't seem too useful.
(You can, of course, Kerberize all sorts of extra services; this is
neat, but in almost all cases single-sign-on can be replaced by logging
in and keeping your passwords on a machine.)
> > Do note that FTP is pretty much a relic.
>
> The single reason of trying ftp/tftp is to make available -stable
> filesets to all local -stable running boxes. I am nor aware of any
> other possibility. Or did I miss something?
pkg_add(1) supports lots of protocols: ftp works, yes, but so do http,
https, and even scp.
Joachim
