[Haskell-cafe] Parse text difficulty
MR K P SCHUPKE
k.schupke at imperial.ac.uk
Fri Dec 10 08:55:49 EST 2004
At the moment the unix encrypted passwords are downloaded using
sov_slave (an application written by ICT that talks directly
to the SOV database)... As far as I am aware all unix cluster
in college that are part of ICTs single sign-on us this method
unless you have recently changed them...
I am suggesting that if there are currently no restrictions on which
machines can download using sov_slave, then such restrictions should
be put in place.
We use scp to update the shadow password files directly on each machine,
so the unix crypted password is not exposed (except on a legacy YP domain
which is not used by us anymore for password authentication)...
I should be able to disable this YP domain, in which case there would
be no exposure of the unix passwords, except the possiblility of snooping
the sov_slave transfer. This in turn could be done over an encryted
SSH tunnel, removing _all_ exposure of the passwords.
(we would still download using sov_slave - but as we would authenticate
using an ssh key, and only the shadow files would be updates there
would be no exposure)...
Anyway that is all temporary, we intend to move to Kerberos, once
I have sorted out a couple of issues (like ACLs for restricted access
machines).
Keean.
More information about the Haskell-Cafe
mailing list