> > rdist over ssh? It's not quite drop-in, but it's pretty easy to set up.
 > > (would be nice to get some out-of-the-box support for it though sometime.)
 > 
 > Copying the passwd file to all hosts doesn't scale very well
 > for even moderate numbers of users or hosts.  

Even a 10,000 user password file is well under a megabyte. Keeping
this on each machine just doesn't strike me as a particularly large
problem. And that's generally considered a large number of users.

Updating it to a couple of hundred machines *might* saturate the
network for a few minutes at 5 am or some other time nobody's doing
anything critical. If you use rsync, it wouldn't take even that.

 > It's also a pain 
 > to keep all of the password files current in the presence of host 
 > and network failures, 

This is precisely what rdist is for.

 > and to deal with each system's different
 > way of storing shadow password files.

And this is a couple of small awk scripts.

 > And we'd still need 
 > something like yppasswd (with something better than "privileged 
 > ports" for authentication) to let people change their passwords. 

% cat /usr/local/bin/passwd
#!/bin/sh
exec ssh centralhost "passwd $*"

Salt to taste.

 > > Nothing anyone does to YP will ever really be more than a bandaid.
 > 
 > granted.  If I had the luxury of replacing all of the "login" programs
 > on all of the systems, I'd start with Kerberos and work up from there.  
 > Meanwhile, a bandaid would do a lot to thwart this very common kind of
 > attack.  

Kerberos is far from an ideal solution itself.
-- 
   - David A. Holland             | (please continue to send non-list mail to
     dholland@cs.utoronto.ca      | dholland@hcs.harvard.edu. yes, I moved.)