Hi Wayne, We have actually done exactly what you are doing. We've since switched to LDAP to encrypt passwords sent over the wire. But the problem you are referring to is the same we have now. I wouldn't have enough thought of it if you didn't mention it. I believe you can use iptables with --mac-source to control access by MAC address. Right now, we only allow our linux machines to nfs mount /home on the server by iptables: -A ADDRESS-FILTER -s xxx.xxx.xxx.xxx -j ACCEPT Making it -A ADDRESS-FILTER -s xxx.xxx.xxx.xxx --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT Should do the trick. Let me know what happens and what you decide to do... Ryan -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Wayne Pinette Sent: Wednesday, June 29, 2005 5:37 PM To: redhat-list@xxxxxxxxxx Subject: NIS/NFS question I have a question regarding NIS and was wondering if anyone had any ideas. We are creating a Linux workstation lab for students. We have a central linux box which teh students can ssh into from home. The lab is a place where they can log in and work on their work. We are using NIS to authenticate the workstations and we are nfs mounting the /home directory. This is all pretty standard and make sense. Here is the problem : If a student walks into the lab with their laptop running their favourite linux to which they have root access, unplugs a workstation, plugs in their laptop, hardcodes the worksation's ip, sets ups his laptop to nis authenticate and nfs share just like the workstation, logs in as root, he can now su to any student id on the system. Although I quash root on the nfs share, it does not stop this student from getting access to any other students (or instructors) material on the server. Although my nis server only trusts a small list of ip addresses, it's trust is still only based on ip. Is there a way to add some sort of certificate trust to nis or some other mechanism to check against before nis will trust a machine on it network other than just ip? Wayner -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
