From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 9faec9c5 for ; Wed, 7 Nov 2018 01:34:53 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 34DCFA22D8; Wed, 7 Nov 2018 11:34:52 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 1EF43A22A0; Wed, 7 Nov 2018 11:34:34 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 15926A22A0; Wed, 7 Nov 2018 10:00:07 +1000 (AEST) Received: from oclsc.com (oclsc.com [206.248.137.164]) by minnie.tuhs.org (Postfix) with SMTP id 09B5B94111 for ; Wed, 7 Nov 2018 10:00:04 +1000 (AEST) From: Norman Wilson To: tuhs@tuhs.org Date: Tue, 06 Nov 2018 19:59:53 -0400 Message-ID: <1541548796.10679.for-standards-violators@oclsc.org> Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" A. P. Garcia: I'd be interested in knowing where a pure unix environment exists, beyond my imagination and dreams that is. ==== For starters, the computing facility used for teaching in the Department of Computer Science at the University of Toronto. Linux workstations throughout our labs; Linux file servers and other back-ends, except OpenBSD for the Kerberos KDCs and firewalls. And yes, we use Kerberos, including Kerberized NFS for (almost) all exports to lab workstations, which cannot be made wholly secure against physical breakins by students. (There's no practical way to prevent that entirely.) Except we also use traditional UNIX /etc/shadow files and non-Kerberized NFS for systems that are physically secure, including the host to which people can ssh from outside. If you don't type a password when you log in, you cannot get a Kerberos TGT, so you wouldn't have access to your home directory were it Kerberized there; and we aren't willing to (and probably couldn't) forbid use of .ssh/authorized_keys for users who know how to do that. Because we need to maintain the password in two places, and because we create logins automatically in bulk from course-registration data, we've had to write some of our own tools. PAM and the ssh GSSAPI support suffice for logging in, but not for password changes or account creation and removal. Someday we will have time to look at LDAP. Meanwhile we distribute /etc/passwd and /etc/shadow files (the latter mostly blanked out to most systems) via our configuration- management system, which we need to have to manage many other files anyway. Norman Wilson Toronto ON