Is There a Better Way to do UNIX Workgroups?

Pauly asks: "Here I am again setting up a new workgroup of UNIX workstations and servers in the traditional office arrangement. By traditional I mean many clients being authenticated by a naming service and mounting homedirs and other shares handled by centralized file servers. I can't help thinking there has to be a better way to do this. Even though this particular LAN is behind a reasonable firewall, I don't feel that NIS/NFS (and their derivatives) are designed securely enough for today's world. Even though I have gone to great lengths to secure the dmz, it just feels wrong to ignore the internal network. I don't have any legacy application or system requirements to keep me tied to NIS/NFS. All the clients will be OpenBSD, FreeBSD or Linux machine. Therefore, I am free to use the best-of-breed tools available today. So I ask: How would you implement the traditional UNIX workgroup today and which of the latest and greatest tools available would you use?"

Yes there is

[b.foster]

Last year, I was responsible for reinstalling a large cluster of Sun Ultra machines, which were NIS and NFS for distributed authentication and file sharing. There were a couple of pitfalls along the way, but now we have a very fast, secure system up and running. A couple of points are:

• Use Linux on the client end. It is scads more maintainable than Solaris, and its remote filesystem capabilities are very well-refined and debugged.
• Stay away from NIS+. Support is limited and the protocol itself is complex and insecure.
• Stay away from AFS and Coda. They are very difficult to set up properly, require running buggy code in kernel space, and force you to make dedicated hard drive partitions to support them. They also overwhelm your network to the breaking point.
• Use Kerberos for authentication. I've tried many different implementations and found (surprisingly enough) that the UI and stability on the Win2k Active Directory server is second to none. The MIT K5 KDC is pretty nice too, but our admins prefer a GUI for user management.
• Use NFS tunneled over SSH for file distribution. Avoid having more than one or two NFS mounts on each client machine, and always mount with "-o soft,bg".
• Change host keys frequently to prevent trouble. I have set up scripts to do this automatically every week.
• Set up your Kerberos server to log all activity to an SQL database, and use any of the excellent pattern analysis tools (such as UserEye) to alert you to suspicious activity.
• Make sure you use a switched network, so that nobody can sniff traffic or engage in ARP spoofing.

Since the time when I set up this system, we have had zero security breaches, and I earned a large (double digit percent) raise.

Good luck!

Bill

LDAP

[duffbeer703]

LDAP & PAM is the way to go. We recently implemented a single sign-on system @ work and it works great for 60,000 interal and about 150,000 internet users!

I believe there is an OpenLDAP implementation is Iplanet is too expensive.