Mental Exercise: Linux in business

ron.peterson at yellowbank.com ron.peterson at yellowbank.com
Sat Aug 7 18:07:34 PDT 2004


On Sat, Aug 07, 2004 at 12:11:01PM -0400, Dominic L Hilsbos wrote:
> Kevin P. Fleming wrote:
> >This is the reason that I mentioned NIS in my reply. It's not safe to 
> >set up an arrangement like this unless you can guarantee that the 
> >systems all share a common user/group database of some kind.
> 
> Ok, so could it be done with samba?  Is there a way to pull the users 
> uname/passwd into automount?

Not exactly what you're looking for, but I hacked something up once that
did something similar:

http://makeashorterlink.com/?C17A52FF8

As for NIS making NFS secure, I'd have to disagree.  Anyone can spoof a
uid and get in.  If you must go this route, consider using iptables to
only allow specific mac addresses.  Comparing LDAP and RADIUS, note that
LDAP can communicate via SSL, meaning you won't be passing
authentication credentials/hashes/whatever around in cleartext on your
network.

As fundamental as the need for a secure shared filesystem is, it's
ironic that so few implementations exist.  Ironic too, that it's
actually worth considering implementing SMB rather than NFS, for
security reasons.  NFS4 looks promising, but I haven't played with it
yet.  (Has anyone else?)  AFAIK, AFS (Andrew File System)
(http://www.openafs.org/) is one of the few shared filesystems that has
made a genuine effort to be secure.  There's also SFS, which I've
unfortunately only played with very briefly (http://www.fs.net/sfswww/).
I really like the global namespace idea.

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 



More information about the lfs-chat mailing list