-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Oct 28, 2001 at 08:58:21AM -0500, Ron Peterson wrote: > NFSv2 and v3 are both insecure. If the client computer is on my desktop, > I can reinstall Linux, give myself root, and then connect as any user I > want.
Yep, you can. Of course, if you're managing a bunch of Linux machines, and you need to prevent this scenario, you can make it difficult. It sounds like you've already taken root away from your users, which is the first step. Good for you! :) Or you can trust your users... If you prefer the former, you can remove the floppy drive and CD rom drive, and install a BIOS password on the machine. You also will need to make sure that LILO prompts for a password when using anything but the default command line, as should single user mode. This does not make it impossible, but much more work for someone to re-install Linux on your system. And there's a good chance someone will notice them installing drives in their machine... Of course, this is also tantamount to hanging a big tabard from every window in your office that says "WE DON'T TRUST OUR USERS!" Personally I have no problem with that, but THEY might see it a bit differently... ;) > Samba's smbmount can prompt for a password, but not if you use > autofs. This is the best solutions I can think of so far, particularly if > combined with SSL. You can add the necessary commands to the user's local .profile so that it will prompt for a password and mount the share. You will also need to make sure the share gets mounted somewhere other than the user's home directory... or else it will be busy when you try to mount it (as the .profile will be running from there). > Is there other solutions to this problem that I'm not thinking of? If you want to learn how to manage Kerberos, that may work for you... But I'm not sure if there is a good implementation of kerberized NFS for Linux. I think this again may be in the realm of NFSv4. If you do find anything else that works for you, I'd be most interested in the details. This IS a hairy problem... Thanks. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE73B2jdjdlQoHP510RAlPhAJ0Wrn882gBqT/aIPYQbKrOAK3jimgCcCkxx cD7JtHTpHspdGaUAcEkz/9k= =qDsd -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
