[Gllug] NFS NIS

Nick Hill t0 at nickhill.co.uk
Mon Oct 1 01:24:08 UTC 2001


Hello Ian. 

The Coda file system is supposed to offer a degree of security, using a Kereberos-like authentication scheme. There are some RPMs available.

Regards

Nick.


On 28 Sep 2001 10:29:58 +0100
Ian Norton <bredroll at atari.org> wrote:

> Hi folks,
> 
> For about 8 months now i have had my little network here running, there
> have been a few annoyance issues with some services but mostly it did
> what i want,
> 
> the current setup is as follows, 
> 
> I have a p133 with linux 2.4.0 running NIS, It also has 2 net cards
> (provision for uni, one is for my uni ethernet socket and other to go to
> my hub, running pretty tight iptables rules, bit of portforwarding, SNAT
> etc,yaddayadda)
> 
> i have exported /home with NFS, (shudder) at home this is not a problem
> at home. but for uni i would kind of like to be a hell of a lot more
> secure, (attending a university where one day i sat down and watched
> someone do some creative network hacking and get himself mounted to the
> staff nfs shares.)
> 
> i would like my three workstations to be able to SECURELY mount the home
> directory on the server as thier own /home or maybe /mnt/homes (thinking
> about it i use very different X setups on all the boxes)
> 
> one issue i have had with NFS and NIS is this,
> 
> i could walk in, plug in my laptop and elect for it to use ypbind, it
> binds to my nis domain, and finishes booting,
> 
> i then su, mount the /home on the laptop, (at current exports are for
> specific hosts only but ip spoofing is fairly simple)
> 
> then su to a user give by nis, bang, i can read/write the nfs share!
> (the person doing this could be anyone with root on thier own laptop)
> 
> ideas about restricting what can bind to nis would be appreciated. (or
> could i simply restrict timed?/portmap)
> 
> please tell me if i have missed the point of my message entirely :-)
> 
> bredroll
> 
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list