Date: Mon, 27 May 2002 15:32:40 +0200 (CEST) From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> To: freebsd-stable@freebsd.org Cc: freebsd-questions@freebsd.org Subject: NFS mounts secured by KERBEROS/HEIMDAL, possible in FBSD 4.6? Message-ID: <20020527151740.L56945-100000@klima.physik.uni-mainz.de>
next in thread | raw e-mail | index | archive | help
Hello. In our environment we use NFS and NIS/YP for distributing and managing a shared environment. Within the last period the structure of this environment growth a little bit complicated and several clients machines running FreeBSD have their own root, but they need to mount centralized shared filesystems from our NFS server. NIS/YP is a bad solution for this purpose, AFS is not a core part of FreeBSD and so I played with (maybe a very naive) the idea to 'kerberize' everything. At this moment we build up a KDC. My intention is to autheticate each machine and each user against a 'heimdalized' or 'kerberized' user database and each NFS export should be exported as a kerberized export. I need to prevent each NFS export to be compromised by an extern client's root, so a extern machine should be able to mount a NFS export - but no root access is gained for no centralized root. Example: the NFS export 'homes' contains all the home directories for our users. Within the NIS/YP domain it is no problem to export them to clients which are under control of a small supervisor group. But within our workgroup of scientists we have an ongrowing group of clients which are not managed centralized, means they have their own root. Problem with NIS/YP and NFS is, that root on those extern clients can gain access to each user by 'su -' when they are member of the NIS/YP domain and have their own local root. You can understand, that this is not a nice and secure solution. My question is: is their a solution with native FreeBSD tools to restrict 'extern' root's access to a NFS share within a NIS/YP domain? My idea is to have a bunch of servers under central control (also NFS and NIS/YP server) and a bunch of local managed clients with their own local root. These machines should be able to mount a NFS export and being member of the NIS/YP domain, but root on those machines must not have access to any root-shares or shares of other users. I saw several mount options for kerberos/heimdal in FreeBSD's manual for mount and I thought this could be a solution. Are their any other working solutions for those problems for FreeBSD 4.6/4.5? Those solutions should work in a environment with a lot of traffic and must be stable like NFS and NIS/YP under FreeBSD 4.6. I would like to welcome each hint, tip or discussion of this problem, my knowledge is rather limited. Thanks a lot. oliver -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ------------------------------------------------------------------ IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ------------------------------------------------------------------ Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 (Buero) FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020527151740.L56945-100000>