need help with NFS and user authentication

[Bob Elzer]

Any user creating a uid of 1000 might be able to connect to your network,
but they wouldn't be able to login to your machines, and vice versa.
Normally when you set up multiple machines that you want to grant users
access to them, you implement NIS. With NIS you manage one set of files on
one machine and it is distributed across the others.

You can also accomplish this with LDAP.


-----Original Message-----
From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Alex
Dean
Sent: Saturday, February 28, 2009 7:11 PM
To: Main PLUG discussion list
Subject: Re: need help with NFS and user authentication


On Feb 28, 2009, at 5:16 PM, Bob Elzer wrote:

>>> I could probably change uids everywhere so they all match on all
> machines, but this seems 1.
> klunky and 2. really insecure.

Granted, it's a small network with few nodes.  Changing uids is probably
workable in this case, and may be the solution I end up going with.  But it
doesn't seem like it scales very well.  If I'm uid 1000, how hard is it for
any random person to create some uid 1000 on their machine, connect to the
network, and access my files with my permissions?  That seems pretty
insecure to me.

Take a look at this for a similar issue :
http://nfsworld.blogspot.com/2006/02/real-authentication-in-nfs.html

>
> Why would you think that ? How is the server going to know it's you, 
> if every time you connect, you have a different UID ?

I'd prefer to have some other mechanism for authorization.  That's the core
of what I'm asking.  I will poke at Kerberos a bit, and if I have success
setting it up, I will probably go with it.  If it seems too involved for my
simple little network, then I'll get busy changing uids.

>
> You wouldn't give a different name at different DMV offices would you 
> ?

To me, the better question is 'you wouldn't believe anyone having ID # 1000
is guaranteed to be the same person, would you?'.

thanks,
alex