USENIX ;login: - Letters to the Editor

More on Certification

From Sergey Babkin
<babkin@bellatlantic.net>

I was delighted to see the letter from Daniel Brockman published in the August issue of ;login:. I completely share his concerns about the certification of system administrators. I do not work as a system administrator right now but I did in the past and maybe I shall do in the future.

I believe that certification benefits neither the professionals nor their clients. Does it benefit anyone? Of course it does. It benefits two social groups: the bureaucracy that conducts the certification and the people who can't stay in the business without being protected by a shield of certificate. We can easily find numerous examples in current life.

Take, for example, the Microsoft certification programs. No doubt, Microsoft makes very nice money from selling the materials for a high price and charging thousands of dollars for the certification itself. But that means that the professionals lose this money, and their clients lose this money too because they have to compensate these expenses. Does the presence of certification mean that its owner really knows something about the subject? I doubt it very much. I do not have much respect for the people I know who have this certification. I would not recommend them for any job requiring any intelligence. They are most enthusiastic about getting these certificates.

No wonder they are: if someone can't prove his knowledge by his job performance, his best strategy would be to hide behind the shield of a certificate or degree. So, if someone needs a person to support Microsoft systems I personally would specifically recommend to not hire anyone with the Microsoft certificate until he or she can prove successful work experience.

Let's look at automobile mechanics. Have you seen any of the franchised shops along the road, such as Midas, NTB, and so on, boasting about their certified mechanics? Have you had any experience with them? I had and I will never do any business with any of them again. If someone boasts that he is certified by Goodyear, most probably that means that he is a misfit unable to balance wheels after four attempts and when doing that he will scratch the alloy rims with a file instead of using special weights.

I have recently met another example from the area of medicine, a highly certified area. After I moved I went for the first time to a new physician, selected blindly from a list. That was a wrong idea. He seemed to know less about medicine than I do, and I know very little. Well, I won't go to him any more and I'm quite happy with my new physician, referred to me by a friend.

All the examples I have seen up to now show that mandatory certification does not protect consumers against bad service, and optional certification too often certifies only that the certified shops or persons will provide only bad service.

I also have experience from another side. It happened that I got a Novell NetWare Administration certificate. Does that make me a good NetWare administrator? I doubt it. Attending the courses gave some interesting knowledge. And I'm probably not a really bad NetWare administrator, at least I have seen a number of worse ones. But that's not because of this certificate but because UNIX administration and NetWare administration have things in common and most of the time I'm able to figure out or quickly find in the manuals the details I don't know, based on the basic knowledge I have. And yes, I would recommend the same caution when hiring the bearers of Novell certificates as for Microsoft certificates, or any other certificates, such as CISCO or HP or Oracle.

Based on all this experience, my opinion is: "Certification Considered Harmful."

I also want to comment on another issue. I think that too much attention and space in ;login: and in the activities of USENIX gets dedicated to Windows NT. There are a lot of commercial organizations with Microsoft at the head that support and provide information on Windows NT and I see no reason why my membership payments should support this activity. Yes, I know the argument that many companies have UNIX installed alongside with NT. But I can't see how it could justify all that attention to NT.

Let's try to follow this argument to its logical extension. In the '70s and '80s many companies had UNIX installed alongside some DEC OS, such as RT-11, RSX-11, VMS. Did USENIX pay that much attention to these OSes at that time? And now many companies have UNIX installed along with Windows 95/98 and mainframes. So maybe, to be fair, USENIX must also pay as much attention to Windows 95 and OS/390 as to NT? And don't forget Oracle and Informix; many companies have Oracle and Informix installed on UNIX, so they should be covered too. And throw in VMS, which is not completely dead yet, and OS/400. That brings us to the moment when USENIX would support everything in the world, with UNIX lost somewhere among them (if visible at all). I think that this is a wrong direction, and that USENIX should stop supporting Windows NT.

Shadow Passwords

From Professor Raphael Finkel
<raphael@cs.engr.uky.edu>

Rik,

I enjoy your Musings column in ;login:. A few times you have mentioned that sysadmins faced with HP-UX tend not to use the shadow passwords because the organization is so nonstandard. We have found a nice way around the problem.

Our shop is pretty diverse, with Irix, Solaris 2, Linux, HP-UX, AIX, and in the past NeXt, Ultrix, and other versions of UNIX. We need to keep various things consistent, in particular, the user community as shown in /etc/passwd. We can't use NIS+, because not all our UNIX variants speak it, and we don't want to use NIS (YP), because it is not very secure. Furthermore, we have a bias against depending on the net for data, because the net or the servers on the net can be unavailable, and we don't want to hang just because an NIS server is out.

Instead, we have a database of users. For each user, we store the encrypted password, the user id, the user name, and which machines the user should have a working account on. The data format is unimportant at this level of discussion. The database is stored on one machine and visible (by NFS, protected in the usual ways against ordinary users) on all. The actual database files could be flat or other; at the moment, they are flat (but in our own format), but we are trying to convert to LDAP.

Whenever it changes, all machines run a Perl script against the data in order to build their own /etc/passwd file. The Perl script takes various actions depending on the UNIX variant. For those that have shadow tables, the script builds the shadow tables, honed to the version of UNIX both in location (AIX likes them in /etc/security/password, but most put them in /etc/shadow) and in format. (AIX puts ! in the password field in /etc/passwd to indicate that the encrypted password is in the shadow file, but HPUX uses * and others use x; each version of UNIX has a different format for the shadow file itself.) Some versions need some postprocessing. (IRIX needs /sbin/pwconv to be called.)

When we got HP-UX castoff machines for the first time, it was a one-time hassle to upgrade the Perl script to deal with HP-UX, which uses a shadow file per user in /tcb/files/auth. The result was about 50 HP-UX specific lines in the Perl script. For each user, if the shadow file already exists, it is checked to see if the password has changed; if so, it is changed in place. If the shadow file does not exist, it is built from a template. Shadow files for departed users are removed.

The code may be ugly, but it works fine, and it is maintainable. Adding or deleting users is as simple as editing the database (there is a vi/emacs interface, as well as a batch-mode interface for massive changes). Soon thereafter, the change is seen on all our 150+ diverse machines.

The software is homegrown and freely available (GPL). We have a paper in press on how it all works: Raphael Finkel, Brian Sturgill (Ataman Software, Fort Collins, CO) and Harlan Stenn (PFCS Corporation, Manchester, MO), "Experience with a UNIX System-Administration Tool," Software Practice and Experience, accepted May 1999. We use the same idea to keep our hosts lists (primarily /etc/hosts) and mounts tables (usually /etc/exports) consistent.

The source with docs is at <ftp://ftp.cs.uky.edu/cs/software/sat.tar.gz> and some sample databases (including the Perl scripts, but without any data) are in <ftp://ftp.cs.uky.edu/cs/software/satrelations.tar.gz>.

The entire package is called SAT, which stands for System Administration Tools.

To Install GCC . . .

From Max Southall
<max@prninfo.com>

Hi Rik,

I installed Solaris7 on several machines, and obtained the GCC compiler from sunsite—now metalab—and it worked just fine.

Enjoyed your ;login: article. I never get to go to conferences—workload too heavy, and company I work for not enlightened enough to pay for training or conferences.

To: max@prninfo.com
From Rik Farrow

Hi Max:

I think the install of GCC would have worked if I had about 1.5 times more disk space in some partitions. But without the additional disk space in three different partitions, it just wasn't going to work. Also, Solaris had to be installed in the first partition (all of my PCs, except the mail server, dual boot). I would have thought that 2GBs was enough to install Solaris and GCC.

Too bad about the conferences. The hall time alone is worth it.