NIS/NFS question
Michael Gale
michael.gale at pason.com
Thu Jun 30 22:25:41 UTC 2005
Hello,
Why not try the following, if you are using static IP's
1. Do not export the whole /home directory, instead export each users
directory to a single IP address. If you have static IP's then that
would work fine.
2. Then you could run arpwatch on the NFS server - if a student tries to
bring in equipment that is not authorized you would know right away. You
could even have a script that would block the new MAC.
But with option one, if the student takes over there own IP, they could
only mount their own home directory, not the entire /home director.
Michael
Wayne Pinette wrote:
> I have a question regarding NIS and was wondering if anyone had any
> ideas.
>
> We are creating a Linux workstation lab for students. We have a
> central linux box which teh students can ssh into from home.
> The lab is a place where they can log in and work on their work. We
> are using NIS to authenticate the workstations and we are nfs mounting
> the /home directory. This is all pretty standard and make sense. Here
> is the problem :
>
> If a student walks into the lab with their laptop running their
> favourite linux to which they have root access, unplugs a workstation,
> plugs in their laptop, hardcodes the worksation's ip, sets ups his
> laptop to nis authenticate and nfs share just like the workstation,
> logs in as root, he can now su to any student id on the system.
> Although I quash root on the nfs share, it does not stop this student
> from getting access to any other students (or instructors) material on
> the server. Although my nis server only trusts a small list of
> ip addresses, it's trust is still only based on ip. Is there a way to
> add some sort of certificate trust to nis or some other mechanism to
> check against
> before nis will trust a machine on it network other than just ip?
>
> Wayner
>
More information about the redhat-list
mailing list