Re: NFS, password transparency, and security

Sun, 07 Apr 2002 22:03:37 -0500 

hi ya

why not do the following ???

make one machine be your primary NIS server...
        - all passwds defined there...

all other machines uses the NIS server for passwd authentication
        and turn on ssh logins ( ~/.shosts )  w/o checking passwd

use automounter for /n/<machines>/directories
        http://www.Linux-Consulting.com/AutoFS/autofs-HOWTO.html

add additional security as needed
        - turn on tcp_wrappers
        - use secure nfs/portmapper

        - do NOT allow insecure operations in a secure environment
        ( no wireless stuff, no dchp stuff, no pop3, no telnet, no ftp )

and magically its just like sun-environment... sorta ...

c ya
alvin
http://www.Linux-Sec.net 

On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> > I work for several University astronomers who basically want something
> > like what they're used to at other places: a pure sun shop, running
> > NIS and NFS.
> 
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
>     Never used it. Can't advise you.
> (2) LDAP
>     Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
>     the equivalent of NIS but securely.
> 
> Several choices for authorisation (pam_access.so):
> (1) local /etc/secuirty/access.conf listing all users
> (2) local /etc/secuirty/access.conf listing a group or netgroup
>     - use local group file
>     - use LDAP-distributed group or netgroup map
> 
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers
> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
>     Requires users to authenticate against the file server, also.
>     Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
>     Also requirres users to authenticate against the file server, but
>     when used in a Kerberos environment, you only have to logon once due
>     to Kerberos' ticket-granting system.
> 
> Hope this (probably incomplete) list helps,
> 
> Luca
> 
> -- 
> Luca Filipozzi, Debian Developer
> [dpkg] We are the apt. You will be packaged. Comply.
> gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to