[TriLUG] NFS/NIS/Automount/BIND
Stephen P. Schaefer
sschaefer at acm.org
Wed Apr 23 23:01:50 EDT 2003
I also use NFS, for the same reason. But I don't delude myself that
it's secure. Now, Sun offers kerberos authentication for NFS, and that
would be OK. But without that (which is unavailable for Linux) anyone
with physical access to the subnet can see whatever they want by
spoofing packets.
Suppose you've got a nice, tight workstation that only allows ssh
logins, but uses an NFS home directory. So: I give my laptop the MAC
address and IP address of the NFS server. I initiate an ssh connection
to your workstation. sshd looks for $HOME/.ssh/authorized_keys, which
I, as the spoofing NFS server happily supply to match the id_dsa private
key I'm using for your account. You're owned. It doesn't have to work
the first time or most of the time. It just has to work once.
Oh, but physical access to the subnet is so difficult to get! you
respond. I see. You scan your network for wireless access points
constantly, don't you? No? Tra la la.
- Stephen
Chris Hedemark wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Wednesday, April 23, 2003, at 06:55 PM, Jon Carnes wrote:
>
>> NFS is very easy and secure (no matter what ChrisH may say!),
>
>
> Actually it was NIS, not NFS, that I was complaining about earlier.
>
> But since you bring it up, I grudgingly use NFS. It's not exactly
> secure, either, but there aren't a lot of mature alternatives out there.
>
>> NIS - allows you to have a universal login across all your machines
>> (all your unix machines)
>
>
> It can actually do *more* than this, but the universal login feature is
> the real hook. My preference, as stated, is for LDAP which has much
> tighter controls on who can see what.
>
> NIS+ is more secure than NIS (as long as you don't enable backwards
> compatibility) but a real bear to set up & maintain, and very hard to
> find professional support for if/when you need it.
>
>> Automount - mount remote (shared) drives automatically
>
>
> Not just remote drives; the automounter can be used for the CD-ROM
> drive, floppy, and more (see the /etc/auto.misc example in Red Hat and
> possibly other distros for an example).
>
>> BIND - DNS = name service and IP look-ups
>
>
> No gripes. Really. :-)
>
> - --
> "When we say `War is over if you want it,' we mean that if everyone
> demanded peace instead of another TV set, we'd have peace." -- John Lennon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
>
> iEYEARECAAYFAj6nQ2UACgkQYPuF4Zq9lvauHwCg8ppboTwTsNXQY+GJsBUAR5kN
> yQEAoO+YyDdHIWn/3dIIdDjcsgWMKMwZ
> =18hb
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/faq/TriLUG-faq.html
>
More information about the TriLUG
mailing list