Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is There a Better Way to do UNIX Workgroups?

Posted by Cliff on from the reanalysing-traditional-solutions dept.

Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today. So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"

5 of 40 comments (clear)

  1. Yes there is by b.foster · · Score: 5, Informative
    Last year, I was responsible for reinstalling a large cluster of Sun Ultra machines, which were NIS and NFS for distributed authentication and file sharing. There were a couple of pitfalls along the way, but now we have a very fast, secure system up and running. A couple of points are:
    • Use Linux on the client end. It is scads more maintainable than Solaris, and its remote filesystem capabilities are very well-refined and debugged.
    • Stay away from NIS+. Support is limited and the protocol itself is complex and insecure.
    • Stay away from AFS and Coda. They are very difficult to set up properly, require running buggy code in kernel space, and force you to make dedicated hard drive partitions to support them. They also overwhelm your network to the breaking point.
    • Use Kerberos for authentication. I've tried many different implementations and found (surprisingly enough) that the UI and stability on the Win2k Active Directory server is second to none. The MIT K5 KDC is pretty nice too, but our admins prefer a GUI for user management.
    • Use NFS tunneled over SSH for file distribution. Avoid having more than one or two NFS mounts on each client machine, and always mount with "-o soft,bg".
    • Change host keys frequently to prevent trouble. I have set up scripts to do this automatically every week.
    • Set up your Kerberos server to log all activity to an SQL database, and use any of the excellent pattern analysis tools (such as UserEye) to alert you to suspicious activity.
    • Make sure you use a switched network, so that nobody can sniff traffic or engage in ARP spoofing.
    Since the time when I set up this system, we have had zero security breaches, and I earned a large (double digit percent) raise.

    Good luck!

    Bill

    1. Re:Yes there is by def · · Score: 2, Informative
      Most of your points are quite sound, and I agree with them, especially avoiding NIS+, I worked on a network that used it for authentication and working with the database was annoying at best, however:

      Stay away from AFS and Coda

      Staying away from Coda is an excellent idea, it's a research filesystem that will probabally never be able to be used in the real world. AFS, on the other hand, is quite stable and has management and security features that far surpass any implementation of NFS. If you are serious about a network filesyste, dedicated hard drive partitions (or even RAID arrays) shouldn't be a serious obsticle. The volume management features of AFS also make such a "sacrifice" trivial.

      However, it goes without saying that AFS is not the easiest thing in the world to set up or become acustomed to. If you have the time to seriously consider a network filesystem though, I would definately recommend atleast looking at AFS.
      Also, as long as you are going to the trouble of using Kerberos for authentication (which I also agree with), AFS integrates with Kerberos quite nicely.

      Make sure you have a switced network

      While you almost certainly must have switched networking at any scale these days, it is important to note that the mere existance of a switch does not mean that traffic is immune to be ing sniffed. There are relatively simple attacks against switches that can force them to fall back into broadcast mode.

      Overall, however, I agree with your suggestions for setting up a secure system.

      --
      WRCT Pittsburgh, 88.3FM
  2. LDAP by duffbeer703 · · Score: 4, Informative

    LDAP & PAM is the way to go. We recently implemented a single sign-on system @ work and it works great for 60,000 interal and about 150,000 internet users!

    I believe there is an OpenLDAP implementation is Iplanet is too expensive.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
    1. Re:LDAP by nbvb · · Score: 3, Informative

      If you use Solaris (which I'm guessing the original poster is, because he mentioned NIS), then the iPlanet directory server is included with Solaris. You have a license for up to 300,000 entries.

      Good luck!

  3. Re:AFS/kerberos & secureID. by Anonymous Coward · · Score: 1, Informative

    AFS howto