by We run a SPARCserver 1000, 256 MB memory, 4 CPUs, Solaris 2.4, with
over 11,000 accounts at Northern Arizona University. We have been using
the standard passwd/shadow file systems for dealing with passwords,
partly because of security concerns with NIS/NIS+, plus NIS doesn't have
a particularly easy way to reset passwords if the user has forgotten
his/her password (and that happens a lot here). We have had bad experiences
with conflicts in running the passwd utility to change passwords; due to
what we have concluded are an insufficiently robust dile locking mechanism in
passwd (it just "touches" /etc/.pwd.lock) we have had several times a day for
the last few days had our shadow file completely disappear! This chaotic
condition is claimed to be probably due to a run condition by Sun, but
Sun says nobody else has this problem, so istead of fixing it, they
recommended we switch to NIS or NIS+. So, my question is, given our
university environment, how have other similar institues dealt with managing,
and changing passwords on large machines like this? What security concerns
have been addressed? How do you deal with forgotten passwords? Is kerberos
potentially a better solution? Feedback would be most appreciated.
-- Tobias
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Computing Technology Services //\ . , Tel: 520-523-6158
Northern Arizona University // `\//\//\ Fax: 520-523-7407
Box 5100 (Bldg. 54A, Knowles Drive) // ` ` `\
Flagstaff, AZ 86011 ---'' N.A.U. `---