[TriLUG] NFS/NIS/Automount/BIND

Stephen P. Schaefer sschaefer at acm.org
Wed Apr 23 23:01:50 EDT 2003 

I also use NFS, for the same reason.  But I don't delude myself that 
it's secure.  Now, Sun offers kerberos authentication for NFS, and that 
would be OK.  But without that (which is unavailable for Linux) anyone 
with physical access to the subnet can see whatever they want by 
spoofing packets.

Suppose you've got a nice, tight workstation that only allows ssh 
logins, but uses an NFS home directory.  So: I give my laptop the MAC 
address and IP address of the NFS server.  I initiate an ssh connection 
to your workstation.  sshd looks for $HOME/.ssh/authorized_keys, which 
I, as the spoofing NFS server happily supply to match the id_dsa private 
key I'm using for your account.  You're owned.  It doesn't have to work 
the first time or most of the time.  It just has to work once.

Oh, but physical access to the subnet is so difficult to get! you 
respond.  I see.  You scan your network for wireless access points 
constantly, don't you?  No?  Tra la la.

     - Stephen

Chris Hedemark wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On Wednesday, April 23, 2003, at 06:55 PM, Jon Carnes wrote:
> 
>> NFS is very easy and secure (no matter what ChrisH may say!),
> 
> 
> Actually it was NIS, not NFS, that I was complaining about earlier.
> 
> But since you bring it up, I grudgingly use NFS.  It's not exactly 
> secure, either, but there aren't a lot of mature alternatives out there.
> 
>> NIS - allows you to have a universal login across all your machines
>>      (all your unix machines)
> 
> 
> It can actually do *more* than this, but the universal login feature is 
> the real hook.  My preference, as stated, is for LDAP which has much 
> tighter controls on who can see what.
> 
> NIS+ is more secure than NIS (as long as you don't enable backwards 
> compatibility) but a real bear to set up & maintain, and very hard to 
> find professional support for if/when you need it.
> 
>> Automount - mount remote (shared) drives automatically
> 
> 
> Not just remote drives;  the automounter can be used for the CD-ROM 
> drive, floppy, and more (see the /etc/auto.misc example in Red Hat and 
> possibly other distros for an example).
> 
>> BIND - DNS = name service and IP look-ups
> 
> 
> No gripes. Really.  :-)
> 
> - --
> "When we say `War is over if you want it,' we mean that if everyone 
> demanded peace instead of another TV set, we'd have peace." -- John Lennon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (Darwin)
> 
> iEYEARECAAYFAj6nQ2UACgkQYPuF4Zq9lvauHwCg8ppboTwTsNXQY+GJsBUAR5kN
> yQEAoO+YyDdHIWn/3dIIdDjcsgWMKMwZ
> =18hb
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> TriLUG mailing list
>    http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>    http://www.trilug.org/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list