johnj@welch.jhu.edu (John A. Johnston) (03/29/91)
We're approaching an era of having several "remote" machines that we need to update some system & software files on.(source & obj) Trying to keep this as secure as possible & with programs like mail or finger and /etc/hosts which are usually root owned, I was wondering what is the proper way to do the distribution with rdist? Needing root access makes me leery. The one scenario we came up with that might work is to have an account for updates on the distribution machine with a 0 uid: update:8LZj4WEYyra0I:0:3:Updates:/update:/bin/csh Taking into account no secure pty's & no .rhosts file for maint. And a similar account on the remote host, but without a real password & shell: update:NONE:0:3:Updates:/update:/bin/nosuchshell To get this to work in a test, we had to have on the recipient host: /.rhosts ~update/.rhosts With the distribution host as the only entry. This allows - the desired distribution, - a secure remote host o no direct login to the maint account o no root access via pty - a secure sending host o no contact from remote host o distribution account as secure as root So, am I missing anything? How do some other sites make use of rdist for root type files, and maintain a secure environment? A summary will follow ... basic disclaimers. Thanks, -johnj