sharing user ids and passwords
Hi, I don't know if this has been asked before, but I'll try anyway. And please ignore this if you think it's not related to the topic of this list. :) I am going to do some testing with two computer (just for fun), both with SuSE 7.0, and a firewall between them (OpenBSD 2.7). The first computer will be accessed normally by users while the other one will be a NFS server to the first one (ie. the users homes will be automounted from the NFS server). - Is it possible to filter the NFS trafic well? - Do I need similar passwd/group/shadow/gshadow files on both computers? - Is it possible to have the NFS computer as master password storage for the first one? - Can RADIUS be used to this (I know a PAM exist for RADIUS, but will it fit my needs?)? - Other alternatives? NIS? NIS+? Transfer the files by SSH on a regular basis? The main question would be: what alternatives exist if you want to share user ids and passwords between two or more computers... and in a hopefully secure way (ie. if you get root on one computer, you won't be able to get the whole password list from the master). Have a nice day! Dan Sveen Olsen
On Sun, 22 Oct 2000, Dan Sveen Olsen wrote:
I am going to do some testing with two computer (just for fun), both with SuSE 7.0, and a firewall between them (OpenBSD 2.7). The first computer will be accessed normally by users while the other one will be a NFS server to the first one (ie. the users homes will be automounted from the NFS server).
- Is it possible to filter the NFS trafic well?
NFS though firewalls has been discussed on this list some time ago. (I didn't follow the discussion) I don't know the reason for your firewall but NFS (aka No File Security) should not be used "in the wild" if it can be avoided. Any computer that can spoof as one of your machines gets access to all files.
- Do I need similar passwd/group/shadow/gshadow files on both computers?
For NFS you don't need passwords, but the user-id should be identical. There is also the possibility to do user-id mappings with NFS but that might be more problems than it's worth.
- Is it possible to have the NFS computer as master password storage for the first one? - Can RADIUS be used to this (I know a PAM exist for RADIUS, but will it fit my needs?)? - Other alternatives? NIS? NIS+? Transfer the files by SSH on a regular basis?
NIS is classical for doing this but not very secure (same level as NFS).
The main question would be: what alternatives exist if you want to share user ids and passwords between two or more computers... and in a hopefully secure way (ie. if you get root on one computer, you won't be able to get the whole password list from the master).
If you are root on one computer you will always be able to get the password list from the other computer (but not cleartext). If the users are able to login on the machine there has to be a way to validate the passwords! OK that's not true for full-blown authentication schemes like Kerberos but with Kerberos you have to rely on the ticket server for authentication. Against a malicious root user none of this will really help. Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
participants (2)
-
Dan Sveen Olsen
-
Robert Casties