Is There a Better Way to do UNIX Workgroups? 40
Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today.
So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"
Re:AFS/kerberos & secureID. (Score:1)
Mmm, how about some details? A howto maybe?
Re:AFS/kerberos & secureID. (Score:1, Informative)
Yes there is (Score:5, Informative)
Good luck!
Bill
Re:Yes there is (Score:2)
Re:Yes there is (Score:2, Informative)
Stay away from AFS and Coda
Staying away from Coda is an excellent idea, it's a research filesystem that will probabally never be able to be used in the real world. AFS, on the other hand, is quite stable and has management and security features that far surpass any implementation of NFS. If you are serious about a network filesyste, dedicated hard drive partitions (or even RAID arrays) shouldn't be a serious obsticle. The volume management features of AFS also make such a "sacrifice" trivial.
However, it goes without saying that AFS is not the easiest thing in the world to set up or become acustomed to. If you have the time to seriously consider a network filesystem though, I would definately recommend atleast looking at AFS.
Also, as long as you are going to the trouble of using Kerberos for authentication (which I also agree with), AFS integrates with Kerberos quite nicely.
Make sure you have a switced network
While you almost certainly must have switched networking at any scale these days, it is important to note that the mere existance of a switch does not mean that traffic is immune to be ing sniffed. There are relatively simple attacks against switches that can force them to fall back into broadcast mode.
Overall, however, I agree with your suggestions for setting up a secure system.
Re:Yes there is (Score:2, Insightful)
Isn't the whole point of arp spoofing, that it allows sniffing despite switches?
Re:Yes there is (Score:3)
I work on afs volumes on a daily basis (only as a user, I'm no administrator there) and cannot share your concerns regarding stabilty (Clients are linux, I don't know the server-side at all).
NFS:
I'd *never* use -o soft! It will break many applications when you have a short outage. Use -o intr instead. It's the same as 'hard' but it's possible to kill applications which wait for a broken/down/unreachable NFS-server.
Re:Yes there is (Score:3, Insightful)
If you have linux clients, what's to prevent me from mounting any user's data that I want? I pop in a Linux boot CD, become root, read the necessary ssh private/public key data. Then I become any user I like, and mount away.
Re:Yes there is (Score:2)
Re:Yes there is (Score:2, Insightful)
Re:Yes there is (Score:2)
Except that you don't always have control of all of the workstations. University personally owned computers, for example. What you're suggesting will only work in a rigidly controlled environment. Better to have a more secure filesharing methodology. NFS4, for example. Or I understand AFS to be more secure. However, this would seem to be a difficult system to use in an evironment that must also cooperate with, say, Windows clients.
I hate to say it, but as things stand today, you'll end up with a much more secure shared filesystem if you use samba + windows clients. Unless you use a system like AFS that doesn't play nice with others. This is definitely a chink in the *nix armor.
Maybe I just don't understand AFS well enough. I've been pinning my hopes on NFSv4, but this [samba.org] certainly looks discouraging. Maybe umich [umich.edu] will save us. By June 30th, they say... Here's to William, Jim, Kendrick, and Jake!
OpenAFS for Windows works. (Score:1)
Re:Yes there is (Score:1)
Re:Yes there is (Score:3, Insightful)
I should have been more clear. The problem isn't the client, it's the protocol. NFS is inherently insecure. Sure, you can BIOS protect your workstations. But you can't bios protect my laptop. You can't stop me from spoofing my mac address, my ip address, etc.
Now you're right, of course, that most people can't/won't do this. On the other hand, what are you trying to protect? When your boss asks "is this secure?", what do you say? Remember too, that you don't have be much of a whiz to do a google search.
Are you going to export your accounting folder? How about HR stuff? There are good (well, maybe 'good' isn't the right word...
AFS is good. Not buggy kernel code. (Score:1)
AFS is good. The volume management is great, and you get real access control lists with groups. How about moving a users home directory to a different server, while the user is logged in? It's completly transparent. Or how about letting people create their own groups? That is useful. And there's proper authentication.
Random advice:
LDAP (Score:4, Informative)
I believe there is an OpenLDAP implementation is Iplanet is too expensive.
Re:LDAP (Score:1)
Re:LDAP (Score:1)
Re:LDAP (Score:2, Interesting)
P.S. (Score:1)
Re:LDAP (Score:1)
. I disagree with the poster who said this was overkill for less than a hundred machines
I didn't SAY it was overkill, I *asked*.
Re:LDAP (Score:1)
Re:LDAP (Score:1)
Re:LDAP (Score:3, Informative)
Good luck!
Just curious (Score:1)
Funny (Score:1, Interesting)
What is everyone using for user account management in shops that support *nix as well as Windows 2000 or others like Netware?
Surely everyone is not using NIS with its limitations. OpenLDAP seems like a logical choice but, how does one authenticate Windows 2000/XP to OpenLDAP, despite Microsoft's claims that Active Directory is LDAP compliant. Microsoft's Active Directory might be LDAP and Kerberos compliant in the loosest sense but, interoperability with Unix systems seems very elusive. So, what is everyone else doing centralize network management??
What I use (Score:1)
For Unix (Solaris), we used NIS, and not NIS+. Why? because we trusted folks inside the firewal and NIS is nice and easy. For Windows, we used the standard Windows stuff.
Re:What I use (Score:1)
---
Re:What I use (Score:1)
The YP/NIS stuff by itself was easy, Windows by itself was easy so we just stopped there. In addition we weren't using Samba at the time and inertia just kept it that way. (We used an NFS client on the few Windows machines that needed Unix file sharing. There was a complex, but good, reason for using the NFS client.)
Re:What I use (Score:1, Interesting)
http://www.arlut.utexas.edu/gash2/
Kerberized NFS? (Score:1)
except for Kerberized and/or ssl'ed CIFS/SMB
it seems the finest solution (and any non-Windoze
CIFS/SMB client is a PITA).
Re:Kerberized NFS? (Score:2)
I know that one OS supports it, but it hasn't been added to OpenBSD or Linux yet (AFAIK). OpenBSD still uses Kerberos 4, not Kerb5/GSSAPI, and Linux has had some policies that made it hard to add crypto. Hopefully a suitable patch will be available through the new security API.
NDS (Score:1)
anybody tried www.boxedpenguin.com ? (Score:1)
openLDAP+Krb5+openafs
sounds quite nice.
anybody used this ?