Re: unix users and radius bootstrapping (fwd)

Craig Brozefsky (cosmo@dobie.ebs.net)
Tue, 25 Jun 1996 15:13:51 -0500 (CDT)

On Tue, 25 Jun 1996, John Simpson wrote:
>
> from the fact that you're using unix passwords for radius authentication, it
> sounds like the primary radius server is running on the machine that the shell
> accounts are on... if the secondary radius server is also using unix passwords
> for radius, wouldn't the user have to change their password on both machines
> in order to know for certain that their new password would be the one that the
> radius server authenticates against? if the password change only affects the
> primary server, and the primary server happens to be down when they try to log
> in, the radius server on the secondary machine will be checking against an old
> password, and the user won't get on.

This is what we are doing here locally, but we use quite a different, and
much more secure method for synching the password files between the two
servers, as well as other useful files.

> one way around this would be to run nis or something that allows a shared
> password database, and put a line like this (we don't run nis here so i'm not
> 100% sure of the syntax.)

Well NIS is a major security bug and any high schooler would crack your
system open if you are using it (granted they know how to use IRC and
type "Can ewe d00ds give m3 the sk1ptz f0r NIS haxor1ng") SO I would
suggest another method, like rdist( hah just kidding, rdist is only
slightly more securre than NIS, which means it will take a high schooler
at least two months int he hacking scene to aquire the scriptz for rdist
exploitation ) or more likely your own custom deal to transfer the
files. We use a deamon we wrote ourself to synch the files across all
the machines.