Re: NFS, password transparency, and security

To: Luca Filipozzi <lfilipoz@debian.org>
Cc: Rob VanFleet <rvf@biglinux.tccw.wku.edu>, debian-security@lists.debian.org
Subject: Re: NFS, password transparency, and security
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Sun, 7 Apr 2002 20:03:10 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1020407195651.19488A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20020407193943.A19738@ece.ubc.ca>

hi ya

why not do the following ???

make one machine be your primary NIS server...
	- all passwds defined there...

all other machines uses the NIS server for passwd authentication
	and turn on ssh logins ( ~/.shosts )  w/o checking passwd

use automounter for /n/<machines>/directories
	http://www.Linux-Consulting.com/AutoFS/autofs-HOWTO.html

add additional security as needed
	- turn on tcp_wrappers
	- use secure nfs/portmapper

	- do NOT allow insecure operations in a secure environment
	( no wireless stuff, no dchp stuff, no pop3, no telnet, no ftp )

and magically its just like sun-environment... sorta ...

c ya
alvin
http://www.Linux-Sec.net 

On Sun, 7 Apr 2002, Luca Filipozzi wrote:

> On Sun, Apr 07, 2002 at 09:02:56PM -0500, Rob VanFleet wrote:
> > I work for several University astronomers who basically want something
> > like what they're used to at other places: a pure sun shop, running
> > NIS and NFS.
> 
> Two choices for authentication (passwd + shadow):
> (1) Kerberos
>     Never used it. Can't advise you.
> (2) LDAP
>     Use LDAP (recompile --with-tls flag) + libpam-ldap + libnss-ldap to do
>     the equivalent of NIS but securely.
> 
> Several choices for authorisation (pam_access.so):
> (1) local /etc/secuirty/access.conf listing all users
> (2) local /etc/secuirty/access.conf listing a group or netgroup
>     - use local group file
>     - use LDAP-distributed group or netgroup map
> 
> Several choices for file sharing:
> (1) NFS + iptables + tcpwrappers
> (2) SFS (see sfs-server sfs-client packages and www.fs.net)
>     Requires users to authenticate against the file server, also.
>     Consider using libpam-sfs (I'm rewriting it as we speak.)
> (3) OpenAFS (see openafs-fileserver + openafs-client)
>     Also requirres users to authenticate against the file server, but
>     when used in a Kerberos environment, you only have to logon once due
>     to Kerberos' ticket-granting system.
> 
> Hope this (probably incomplete) list helps,
> 
> Luca
> 
> -- 
> Luca Filipozzi, Debian Developer
> [dpkg] We are the apt. You will be packaged. Comply.
> gpgkey 5A827A2D - A149 97BD 188C 7F29 779E  09C1 3573 32C4 5A82 7A2D
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: NFS, password transparency, and security
  - From: Luca Filipozzi <lfilipoz@debian.org>

Prev by Date: Re: NFS, password transparency, and security
Next by Date: Re: NFS, password transparency, and security
Previous by thread: Re: NFS, password transparency, and security
Next by thread: Re: NFS, password transparency, and security
Index(es):
- Date
- Thread