> On 2 Jan 2015, at 9:52 pm, Brian Empson <br...@teamhandbanana.com> wrote: > > I'm looking into a way to sync up group and user information across a network > of OpenBSD machines. I like YP, except that I don't need the password hashes > transferred across the network. I like that it's built right into the base > install, are there better ways to handle synchronizing login details across > multiple machines that is built into the base install? Preferably written by > the OpenBSD team, too?
while not directly answering your question, i can say openbsd can do this kind of stuff without yp on the wire. at work i use ypldap to get user/group information from active directory. we populate the rfc2307 attributes on our users and groups to make them useful on unix systems. we use the single directory as a name service backend for openbsd, solaris, linux, and windows (of course). we're still using krb5 for password authentication. i really have to fix that. we've also augmented the AD schema to store users ssh keys in the directory too. sshd gets access to them via AuthorizedKeysCommand and a perl script. this allows ssh key based single sign on across all our unixish systems, even if their home directories are not available on the system. this is useful for providing services over ssh. an example of such a service we provide is svn and git on a dedicated server. all our users are on the system via ypldap, and they can auth using their own username and either a password or ssh key. dlg
