[Gllug] NFS NIS

Lee Blackwell lee_blackwell at eur.3com.com
Fri Sep 28 10:06:40 UTC 2001


Is this NIS or NIS+?? NIS can be setup securely, although it's not exactly
the most simple thing in the world, and in addition, NIS/NIS+ is generally
used (AFAIK) for a 'full' authentication system, ie you auth against the
NIS domain rather than anything else.

Do you really want to use NIS & NFS?  Why not just share files using
something a tad more traditional, maybe FTP or SSH/scp?  I know it's more
of a pain to move data around, but then it'll be more secure, no?

Lee

-- 
Lee Blackwell
Unix Specialist, NCS, 3com IT.
"I love blinking, I do!" - Helen, Big Brother, 2001

On Fri, 28 Sep 2001, Ian Norton wrote:

>
> Hi folks,
>
> For about 8 months now i have had my little network here running, there
> have been a few annoyance issues with some services but mostly it did
> what i want,
>
> the current setup is as follows,
>
> I have a p133 with linux 2.4.0 running NIS, It also has 2 net cards
> (provision for uni, one is for my uni ethernet socket and other to go to
> my hub, running pretty tight iptables rules, bit of portforwarding, SNAT
> etc,yaddayadda)
>
> i have exported /home with NFS, (shudder) at home this is not a problem
> at home. but for uni i would kind of like to be a hell of a lot more
> secure, (attending a university where one day i sat down and watched
> someone do some creative network hacking and get himself mounted to the
> staff nfs shares.)
>
> i would like my three workstations to be able to SECURELY mount the home
> directory on the server as thier own /home or maybe /mnt/homes (thinking
> about it i use very different X setups on all the boxes)
>
> one issue i have had with NFS and NIS is this,
>
> i could walk in, plug in my laptop and elect for it to use ypbind, it
> binds to my nis domain, and finishes booting,
>
> i then su, mount the /home on the laptop, (at current exports are for
> specific hosts only but ip spoofing is fairly simple)
>
> then su to a user give by nis, bang, i can read/write the nfs share!
> (the person doing this could be anyone with root on thier own laptop)
>
> ideas about restricting what can bind to nis would be appreciated. (or
> could i simply restrict timed?/portmap)
>
> please tell me if i have missed the point of my message entirely :-)
>
> bredroll
>
>
> --
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list