NIS/NFS question

Wayne Pinette Wpinette at tru.ca
Thu Jun 30 22:52:31 UTC 2005 

Michael, that would not work simply because Student A,B,C and use
workstation 1,2 and 3 at any time.

A->1,B->2,C->3...A->2,B->1,C-3.

These are not personal machines, they are a lab.


At any rate, One suggestion which I recievd off of this list is to
abandon nis/nfs and try a CIFS solution (ie, samba of some sort) which
does not consider root all powerful like nis does.

All suggestions and comments have been quite helpful and I thank you
all.


Wayner


>>> michael.gale at pason.com 06/30/05 3:25 pm >>>
Hello,

	Why not try the following, if you are using static IP's

1. Do not export the whole /home directory, instead export each users 
directory to a single IP address. If you have static IP's then that 
would work fine.

2. Then you could run arpwatch on the NFS server - if a student tries
to 
bring in equipment that is not authorized you would know right away.
You 
could even have a script that would block the new MAC.

But with option one, if the student takes over there own IP, they could

only mount their own home directory, not the entire /home director.

Michael



Wayne Pinette wrote:
> I have a question regarding NIS and was wondering if anyone had any
> ideas.
> 
> We are creating a Linux workstation lab for students.  We have a
> central linux box which teh students can ssh into from home.
> The lab is a place where they can log in and work on their work.  We
> are using NIS to authenticate the workstations and we are nfs
mounting
> the /home directory.  This is all pretty standard and make sense. 
Here
> is the problem : 
> 
> If a student walks into the lab with their laptop running their
> favourite linux to which they have root access, unplugs a
workstation,
> plugs in their laptop, hardcodes the worksation's ip, sets ups his
> laptop to nis authenticate and nfs share just like the workstation,
> logs in as root, he can now su to any student id on the system. 
> Although I quash root on the nfs share, it does not stop this
student
> from getting access to any other students (or instructors) material
on
> the server.  Although my nis server only trusts a small list of 
> ip addresses, it's trust is still only based on ip.  Is there a way
to
> add some sort of certificate trust to nis or some other mechanism to
> check against
> before nis will trust a machine on it network other than just ip?
> 
> Wayner
> 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe 
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list