Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is There a Better Way to do UNIX Workgroups?

Posted by Cliff on from the reanalysing-traditional-solutions dept.

Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today. So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"

6 of 40 comments (clear)

  1. Yes there is by b.foster · · Score: 5, Informative
    Last year, I was responsible for reinstalling a large cluster of Sun Ultra machines, which were NIS and NFS for distributed authentication and file sharing. There were a couple of pitfalls along the way, but now we have a very fast, secure system up and running. A couple of points are:
    • Use Linux on the client end. It is scads more maintainable than Solaris, and its remote filesystem capabilities are very well-refined and debugged.
    • Stay away from NIS+. Support is limited and the protocol itself is complex and insecure.
    • Stay away from AFS and Coda. They are very difficult to set up properly, require running buggy code in kernel space, and force you to make dedicated hard drive partitions to support them. They also overwhelm your network to the breaking point.
    • Use Kerberos for authentication. I've tried many different implementations and found (surprisingly enough) that the UI and stability on the Win2k Active Directory server is second to none. The MIT K5 KDC is pretty nice too, but our admins prefer a GUI for user management.
    • Use NFS tunneled over SSH for file distribution. Avoid having more than one or two NFS mounts on each client machine, and always mount with "-o soft,bg".
    • Change host keys frequently to prevent trouble. I have set up scripts to do this automatically every week.
    • Set up your Kerberos server to log all activity to an SQL database, and use any of the excellent pattern analysis tools (such as UserEye) to alert you to suspicious activity.
    • Make sure you use a switched network, so that nobody can sniff traffic or engage in ARP spoofing.
    Since the time when I set up this system, we have had zero security breaches, and I earned a large (double digit percent) raise.

    Good luck!

    Bill

    1. Re:Yes there is by cnvogel · · Score: 3

      AFS:

      I work on afs volumes on a daily basis (only as a user, I'm no administrator there) and cannot share your concerns regarding stabilty (Clients are linux, I don't know the server-side at all).

      NFS:

      I'd *never* use -o soft! It will break many applications when you have a short outage. Use -o intr instead. It's the same as 'hard' but it's possible to kill applications which wait for a broken/down/unreachable NFS-server.

    2. Re:Yes there is by wfrp01 · · Score: 3, Insightful

      Use NFS tunneled over SSH for file distribution.

      If you have linux clients, what's to prevent me from mounting any user's data that I want? I pop in a Linux boot CD, become root, read the necessary ssh private/public key data. Then I become any user I like, and mount away.

      --

      --Lawrence Lessig for Congress!
    3. Re:Yes there is by wfrp01 · · Score: 3, Insightful

      Although not foolproof, BIOS/FIRMWARE password to prevent floppy/CD booting is key.

      I should have been more clear. The problem isn't the client, it's the protocol. NFS is inherently insecure. Sure, you can BIOS protect your workstations. But you can't bios protect my laptop. You can't stop me from spoofing my mac address, my ip address, etc.

      Now you're right, of course, that most people can't/won't do this. On the other hand, what are you trying to protect? When your boss asks "is this secure?", what do you say? Remember too, that you don't have be much of a whiz to do a google search.

      Are you going to export your accounting folder? How about HR stuff? There are good (well, maybe 'good' isn't the right word... ;) reasons people would want at the information therein. It really doesn't take a lot of effort to get it, if you're using NFS.

      --

      --Lawrence Lessig for Congress!
  2. LDAP by duffbeer703 · · Score: 4, Informative

    LDAP & PAM is the way to go. We recently implemented a single sign-on system @ work and it works great for 60,000 interal and about 150,000 internet users!

    I believe there is an OpenLDAP implementation is Iplanet is too expensive.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
    1. Re:LDAP by nbvb · · Score: 3, Informative

      If you use Solaris (which I'm guessing the original poster is, because he mentioned NIS), then the iPlanet directory server is included with Solaris. You have a license for up to 300,000 entries.

      Good luck!