NIS and non-NIS question

Vulpes Velox v.velox at vvelox.net
Sat Dec 11 07:10:08 PST 2004


On Sat, 11 Dec 2004 01:33:43 -0500
Chuck Swiger <cswiger at mac.com> wrote:

> Vulpes Velox wrote:
> > I have a box I want to rework to allow it to operate outside a NIS
> > enviroment when outside my LAN and use NIS and NFS when it is not.
> > Any suggestions on how to go about this?
> 
> Set up a cron job to invoke a shell script which rsync's your YP
> master's password file (and /etc/group, and anything else you might
> care about) when you are on your LAN, and not if you are not, every
> X minutes.  Have it run pwd_mkdb too.  Maybe add a little awk or
> perl magic spice to add or screen out a range of userid's.  Then
> disable NIS and rely on plain old flatfiles.
> 
> If you use rsync-via-ssh (which is now the default behavior), the
> process above will transmit sensitive password data with
> considerably more security than you get when using plain NIS.  On
> the other hand, if you are running NFS, you risk profile against
> someone who can sniff your local subnet isn't significantly altered,
> so don't worry too much about this, but the issue of security is
> worth considering at least a little.
> 
> For NFS, you might give the automounter (see "man amd") a try.  So
> long as you don't descend into a mount point deliberately (or
> accidentally via recursion using find, grep, etc), the machine will
> not actually attempt to NFS-mount the remote filesystem.
> 
> For that matter, you might even consider switching models of
> operation to using CIFS/samba instead of NFS.  Oddly enough, even
> though NFS is a stateless remote filesharing system by design, it's
> pretty easy to wedge a lot of important processes if an NFS share
> becomes not available.  MacOS X seems to tolerate CIFS shares going
> away better than it handles NFS going away, and FreeBSD might well
> be similar.  (I haven't exhaustively tested either problem case
> *deliberately*, mind you...! :-)

Not using fstab becuase of that :)

What I am doing is I run a small program to fingerprint my server and
then dump it all to a file. I then hash that file. When it starts up
it reruns that trying to grab info for that IP and then it is hashed
and compare it to what the hash is suppose to be. If they don't match
it mounts 127.0.0.1:/usr/localhome to /usr/home. If it does match, it
runs a different script that mounts the stuff that should be mounted
for being on the LAN.



Any ways, got my big problem with it sorted out... was forgeting to
rebuild the password database.


BTW any one know of any way to change the timeout time for getting a
NIS password?


More information about the freebsd-questions mailing list