>But then remote administration goes all to hell. Secure external >access methods (Skey, SecureID, et al.) could be used to admin the >machines remotely, but the inital setup would cost a considerable >amount of time. On a slightly different topic. But since S/Key was mentioned... Almost all of the S/Key packages I've seen have a problem (actually there are a couple of problems with s/key but the pro's still outweigh the con's). The installation sets the /etc/skeykeys file to a world readable mode ( 644 ). This seems to be the case in both Bellcore and Weitse's packages. Needless to say that on a system using shadowed passwords and having most of their users using s/key... This defeats the benefits of having a shadowed password system in the first place. The only thing I see changing this file to a more rational mode (ie 600) would break is the keyinfo program. Not much of a loss in my eyes. PeiterZ