managing user accounts without NIS

Victor Ortega vor+ at pitt.edu
Sat May 20 14:26:18 PDT 2000


On Sat, 20 May 2000, Crutcher Dunnavant wrote:
> Why do you not want to use NIS?

Because I want high availability, high performance, security, and
standard usage for users.

> the overhead from NIS is gonna be about the 
> same as any system you have for publishing out /etc/passwd

Not true.  The solution I seek would only redistribute /etc/shadow on
password changes and /etc/passwd on shell changes; both types of
changes are fairly rare in comparison to the number of authentications
that occur on any time scale.  So for normal usage of authentication
procedures, there would be no performance penalty or network activity
as is seen by NIS or NFS.

> Or you could use NFS to publish /etc/passwd itself.

The unavailability of /etc/passwd is not an option, as this would
render a disconnected node inaccessible by regular users (and *all*
nodes inaccessible, even on console, if the server goes down).

> NIS and NFS are pretty efficient at what they do, and can be
> configured to cache to some extent. Why reinvent them?

NIS and NFS are insecure and incur performance penalties.  I'm looking
for better alternatives.  My idea of setuid-root wrappers (using rsync
for distribution of relevant files) already provides a more secure,
high-performance, high-availability alternative; I just want to make
sure that there isn't something better out there already, and that I'm
not overlooking some potential security hole.

Victor





More information about the Beowulf mailing list