Thursday, January 20, 2011

Server-based homedirs and universal logon on a Linux network? (Other than with NFS+NIS?)

This question was kinda, sorta, already asked, but there's a security issue with the NFS+NIS setup that still bugs me: if you know somebody's username/uid, you can setup a *nix computer, create a user locally with the same name/uid, and presto, you can mount the server FS and it'll give you access to the user's files.

So my question is specific: is there an alternative setup that'll give no access to server files, no way, no how, unless you have a valid username AND password, even if you setup your own computer and place it on the network?

Users still need to be able to log on to their workstations and work with their server files without having to give their password all the time. It's OK if it only works in a Linux GUI like Gnome.

From serverfault JCCyC

  • I'm no fan of NFS/NIS, but the security issue you describe is a configuration problem, not an inherent flaw: You can configure your NFS server to only honor mount requests from known hosts (or if you want to get fancy, restrict it by netgroup), so J. Random Hacker can't just plug in and start mounting stuff. See the exports(5) manpage for the details, or skim a copy of the O'Reilly NFS+NIS book for really good examples.

    (This doesn't solve any of the other problems with NFS/NIS that are inherent flaws, but it's the immediate fix for your immediate problem :).

    From voretaq7

  • Can't the security issues be overcome by using NFSv4 and kerberos? Kerberos was mentioned in the answer to your previous question but you don't mention it in your new question about security concerns.

    I don't see how a nfs share that requires kerberos authentication can be fooled by a simple matching username/uid.

    Tutorial for Ubuntu if that's what you're using can be found here.

    voretaq7 : Only caveat to NFSv4+Kerberos is that everything needs to support it. (Probably not an issue if everything in your environment is new, or at least pretty recent)
    From 3dinfluence

  • LDAP or Samba for unified logons. Any network filesystem should let you complete the equation.

    From alex

  • NIS is ancient, forget it even exists. You can use LDAP to achieve much the same thing in a much more modern way. I suggest you look at Kerberos and NFSv4 for user authentication. It's a fair bit of infrastructure to set up but once you get it all rolling it's not too difficult to maintain.

    From Kamil Kisiel
Posted by Mu Cat at 6:59 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)