NIS/NFS question

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Installation - Getting started with Red Hat Linux

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	sendmail configuration on redhat
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	Promise 378 controller
•	kernel 2 6 and /dev/sound/mixer not found
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	Lotus Notes under Wine
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	Command stream end of file while reading
•	rpm database corrupt
•	qla2300 modules

NIS/NFS question

NIS/NFS question

2005-06-29 - By Ryan Golhar

Back

Reply: 1 2 3 4 5 6 7 8 9

Hi Wayne,

We have actually done exactly what you are doing. We've since switched
to LDAP to encrypt passwords sent over the wire. But the problem you
are referring to is the same we have now. I wouldn't have enough
thought of it if you didn't mention it.

I believe you can use iptables with --mac-source to control access by
MAC address.

Right now, we only allow our linux machines to nfs mount /home on the
server by iptables:

-A ADDRESS-FILTER -s xxx.xxx.xxx.xxx -j ACCEPT

Making it

-A ADDRESS-FILTER -s xxx.xxx.xxx.xxx --mac-source XX:XX:XX:XX:XX:XX -j
ACCEPT

Should do the trick. Let me know what happens and what you decide to
do...

Ryan

-- --Original Message-- --
From: redhat-list-bounces@(protected)
[mailto:redhat-list-bounces@(protected)] On Behalf Of Wayne Pinette
Sent: Wednesday, June 29, 2005 5:37 PM
To: redhat-list@(protected)
Subject: NIS/NFS question

I have a question regarding NIS and was wondering if anyone had any
ideas.

We are creating a Linux workstation lab for students. We have a central
linux box which teh students can ssh into from home. The lab is a place
where they can log in and work on their work. We are using NIS to
authenticate the workstations and we are nfs mounting the /home
directory. This is all pretty standard and make sense. Here is the
problem :

If a student walks into the lab with their laptop running their
favourite linux to which they have root access, unplugs a workstation,
plugs in their laptop, hardcodes the worksation's ip, sets ups his
laptop to nis authenticate and nfs share just like the workstation, logs
in as root, he can now su to any student id on the system.
Although I quash root on the nfs share, it does not stop this student
from getting access to any other students (or instructors) material on
the server. Although my nis server only trusts a small list of
ip addresses, it's trust is still only based on ip. Is there a way to
add some sort of certificate trust to nis or some other mechanism to
check against before nis will trust a machine on it network other than
just ip?

Wayner

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Earn $52 per hosting referral at Lunarpages.