Michael, that would not work simply because Student A,B,C and use workstation 1,2 and 3 at any time. A->1,B->2,C->3...A->2,B->1,C-3. These are not personal machines, they are a lab. At any rate, One suggestion which I recievd off of this list is to abandon nis/nfs and try a CIFS solution (ie, samba of some sort) which does not consider root all powerful like nis does. All suggestions and comments have been quite helpful and I thank you all. Wayner >>> michael.gale@xxxxxxxxx 06/30/05 3:25 pm >>> Hello, Why not try the following, if you are using static IP's 1. Do not export the whole /home directory, instead export each users directory to a single IP address. If you have static IP's then that would work fine. 2. Then you could run arpwatch on the NFS server - if a student tries to bring in equipment that is not authorized you would know right away. You could even have a script that would block the new MAC. But with option one, if the student takes over there own IP, they could only mount their own home directory, not the entire /home director. Michael Wayne Pinette wrote: > I have a question regarding NIS and was wondering if anyone had any > ideas. > > We are creating a Linux workstation lab for students. We have a > central linux box which teh students can ssh into from home. > The lab is a place where they can log in and work on their work. We > are using NIS to authenticate the workstations and we are nfs mounting > the /home directory. This is all pretty standard and make sense. Here > is the problem : > > If a student walks into the lab with their laptop running their > favourite linux to which they have root access, unplugs a workstation, > plugs in their laptop, hardcodes the worksation's ip, sets ups his > laptop to nis authenticate and nfs share just like the workstation, > logs in as root, he can now su to any student id on the system. > Although I quash root on the nfs share, it does not stop this student > from getting access to any other students (or instructors) material on > the server. Although my nis server only trusts a small list of > ip addresses, it's trust is still only based on ip. Is there a way to > add some sort of certificate trust to nis or some other mechanism to > check against > before nis will trust a machine on it network other than just ip? > > Wayner > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
