[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NIS/NFS question



Hello,

	Why not try the following, if you are using static IP's

1. Do not export the whole /home directory, instead export each users directory to a single IP address. If you have static IP's then that would work fine.

2. Then you could run arpwatch on the NFS server - if a student tries to bring in equipment that is not authorized you would know right away. You could even have a script that would block the new MAC.

But with option one, if the student takes over there own IP, they could only mount their own home directory, not the entire /home director.

Michael



Wayne Pinette wrote:
I have a question regarding NIS and was wondering if anyone had any
ideas.

We are creating a Linux workstation lab for students.  We have a
central linux box which teh students can ssh into from home.
The lab is a place where they can log in and work on their work.  We
are using NIS to authenticate the workstations and we are nfs mounting
the /home directory.  This is all pretty standard and make sense.  Here
is the problem :
If a student walks into the lab with their laptop running their
favourite linux to which they have root access, unplugs a workstation,
plugs in their laptop, hardcodes the worksation's ip, sets ups his
laptop to nis authenticate and nfs share just like the workstation,
logs in as root, he can now su to any student id on the system. Although I quash root on the nfs share, it does not stop this student
from getting access to any other students (or instructors) material on
the server. Although my nis server only trusts a small list of ip addresses, it's trust is still only based on ip. Is there a way to
add some sort of certificate trust to nis or some other mechanism to
check against
before nis will trust a machine on it network other than just ip?

Wayner




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]