SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've decided to start looking at how i can setup a small network with linux clients. Im an Ex-Windows IT guy.. so maybe im thinking to MS in trying to come up with a solution.. if i am.. smeone shoot me please
What I would like to have...
A Server (slackware ) that holds all the users of this network... For the clients to log in.. they have to have an account setup on this server.
I want all the clients to be setup to log onto this accounts machine. Now these will all be linux clients.. none of this Windows crap.
I wwould like for the clients home directories to map to the server, so basically the clients cannot write anything to their local harddrive at all. client-wise lets say there is 15-20 clients??
These are the basics I am looking for... can someone point me in the right direction, is there a website out there that explains this??
And, what network file system u r considering to use ? Well NFS is trivial, but I heard it is not that elegance, one of the vulnerability of older version of NFS is that it doesn't check back about the hostname trying to connect.
The vulnerability is that the hostname can be spoofed. If the network File Server is fooled, we can create every user we want it to be on our local system, login as that user, so then we ll have access to exported data on nfs of that user. But this should be long fixed. Am not that deep on that, but I think NIS should handels that authentication of the spoofing ..
I just interested to know, wut is the better Network File System currently ? Coda, Samba + any comment ?
Originally posted by dirstyGuy
And, what network file system u r considering to use ? Well NFS is trivial, but I heard it is not that elegance, one of the vulnerability of older version of NFS is that it doesn't check back about the hostname trying to connect.
That what you have
/etc/hosts.allow
and
/etc/hosts.deny
Quote:
The vulnerability is that the hostname can be spoofed. If the network File Server is fooled, we can create every user we want it to be on our local system, login as that user, so then we ll have access to exported data on nfs of that user. But this should be long fixed. Am not that deep on that, but I think NIS should handels that authentication of the spoofing ..
And if you setup (as I learnt the other day) static
arp-tables on the server there's no spoofing, either,
because the MAC address can't be forged easily.
Originally posted by Tinkster
And if you setup (as I learnt the other day) static
arp-tables on the server there's no spoofing, either,
because the MAC address can't be forged easily.
I hope so, as said that vulnerability should be fixed. Although I'm just a little bit untrusting as in my mind, I can setup my dns to answer the "back reference query of the NFS-server " to be the hostname as I want it to be. Though whether my dns is that, that the NFS server queries for is another question .
Afaik NFS worked over udp (connection less, other network FS maybe also), that mean the exported data is streamed to the network segment barely through the udport (at least in the early manifestation of nfs). I bet only authenticated host:user can force nfs-server to stream certain demanded data, say when we do "cd /nfs1/user1data, then /nfs1/user1 will be mounted on certain point on user1 FS-tree, what he access will be streamed through segment later (encripted ?)" Although not authenticated the data is subjected for scanning/mapping from any one who is physically (or through someway) connected to the network segment (isn't it ? sorry if my estimation wrong am still noobist on nfs).
Yeah that static arp-tables sound promising, still curious whether any gonna say something about coda or maybe other network file system just being popular
So I have to ask - how could I use LDAP as my user database? Can I replace the standard linux auth system with an ldap based directory?
Ultimately I'd like ldap to hold my user info, sendmail info. apache authentication info and tikiwiki account. But lets start with login...references??
Please do not rely on MAC addresses for security, the MAC address can be reset (on all but a few NIC's) with the command "ifconfig hw ether [MAC address]". Not to hard to spoof, in other words. Also, you can easily sniff out valid MAC addresses using common network inspection tools.
I haven't used LDAP myself, so the following information might not be entirely accurate. If I'm not mistaken, LDAP authentication requires Pluggable Authentication Modules (PAM), which is left out of Slackware due to it's shaky security track record, and from what I've seen of the source, it's a good call. PAM is however standard on many GNU/Linux distributions, so obviously a lot of people think it's safe enough.
To install PAM in Slackware, you need to first install PAM, and then recompile all packages that do authentication (at least shadow, perhaps some others as well) to make them PAM-enabled.
The quick and dirty approach is of course to write a script which periodically updates the local authentication files against LDAP, but that isn't necessarily any more secure than the alternatives.
I personally think the poor implementation of PAM is a major shortcoming of the GNU/Linux platform. It should be rewritten by someone who really understands secure programming.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.