On May 2, 2011 2:14 PM, "Kenneth Wolcott" <kennethwolc...@gmail.com> wrote: > > It looks like you have a great working system for annually forcing > the change of UNIX passwords in a systematic manner, but it would > definitely not be good to emulate your system in the general case > because very few people on this list (I'm betting here) are in such a > situation, as you have described in your answer to Shawn. Your > script(s) work almost flawlessly without the controls normally very > necessary because you have externally controlled the conditions so > thoroughly. Therefore your solution is definitely not one that can be > emulated generally. >
This is almost certainly ot here but there are very popular solutions for doing this that are most certainly more fault tolerant and secure. I submit ldap, nis, and ypbind (in order of preference). Jim might be working with systems that are normally kept offline (metal detectors and chemical monitoring come to mind) where this might not be a viable solution. Or there are political reasons (probably both). However for most, this is (badly) reinventing the wheel. Actually, if anyone thinks of implementing security on their own, they will probably fail BADLY. I can think of two examples off hand and probably find at least a dozen more public examples where this has happened. So, if you are dealing with access control (passwords apply here), databases, web design, and physical access, think very long (and I do mean long) if you are considering not using a prebuilt api.
