Authenticated home directory mounts?

Authenticated home directory mounts?

Post by Gary Mil » Thu, 17 Aug 2000 12:40:08



We are looking for a way to share home directories from our file
server in such a way that the user on a Solaris or Linux workstation
must authenticate to the server in order to mount her home directory
there.  Our current configuration has about a dozen home directory
filesystems exported from our NFS fileserver, with several hundred
home directories on each filesystem.  This means that the fileserver
must trust root on the workstation, and that root does the mount after
the user has authenticated locally.  This scheme is not secure if the
user has root access on the workstation.

Is there a way to do this with NFS?  With some other protocol?
With SMB on a Linux workstation, the user must authenticate to
the file server in order to do the mount, even though root is required
to issue the mount command.  This is close to what we need.  Is there
anything similar available for Solaris?

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

 
 
 

Authenticated home directory mounts?

Post by Carsten Schulz-Ke » Thu, 17 Aug 2000 04:00:00



> We are looking for a way to share home directories from our file
> server in such a way that the user on a Solaris or Linux workstation
> must authenticate to the server in order to mount her home directory
> there.  Our current configuration has about a dozen home directory
> filesystems exported from our NFS fileserver, with several hundred
> home directories on each filesystem.  This means that the fileserver
> must trust root on the workstation, and that root does the mount after
> the user has authenticated locally.  This scheme is not secure if the
> user has root access on the workstation.

> Is there a way to do this with NFS?  With some other protocol?
> With SMB on a Linux workstation, the user must authenticate to
> the file server in order to do the mount, even though root is required
> to issue the mount command.  This is close to what we need.  Is there
> anything similar available for Solaris?

I don't thinkt that this is possible with NFS. AFS provides a better
solution for this kind of problem. Have a look at
http://www.angelfire.com/hi/plutonic/afs-faq.html

HTH,
Carsten

--
| Carsten Schulz-Key   | Wilhelm-Schickard-Institut |   Technische Informatik |
| Universit?t Tbingen |                            | Sand 13, 72076 Tbingen |
| Tel +49 7071 29-78977| Fax +49 7071 29-5062       |                 Germany |
+----------------------+----------------------------+-------------------------+
| PGP Fingerprint:           D5 F2 F6 8C FA 98 62 AB  E9 1D 3D 63 68 4B F6 FC |

 
 
 

Authenticated home directory mounts?

Post by Philip Bro » Thu, 17 Aug 2000 04:00:00



Quote:>We are looking for a way to share home directories from our file
>server in such a way that the user on a Solaris or Linux workstation
>must authenticate to the server in order to mount her home directory
>there.

It's called "secure-nfs".
You need

  1. support for NIS+ on linux, which I know exists
  2. support for the "secure-nfs" extension on linux, which I'm not
     sure exists.

I believe this gets you the following:

1. only NIS+ registered machines will be able to mount the filesystem
2. only NIS+ regisred users will be able to write to their own home
  directory, depending on whether they did something stupid like
  chmod 0777 $HOME

Note that the "secure" part is only about access. it does no encryption of
the actual file data flowing across the network.

--
[Trim the no-bots from my address to reply to me by email!]
[ Do NOT email-CC me on posts. Pick one or the other.]

The word of the day is mispergitude

 
 
 

Authenticated home directory mounts?

Post by Rich Tee » Thu, 17 Aug 2000 04:00:00



Quote:> We are looking for a way to share home directories from our file
> server in such a way that the user on a Solaris or Linux workstation
> must authenticate to the server in order to mount her home directory
> there.  Our current configuration has about a dozen home directory
> filesystems exported from our NFS fileserver, with several hundred
> home directories on each filesystem.  This means that the fileserver
> must trust root on the workstation, and that root does the mount after
> the user has authenticated locally.  This scheme is not secure if the
> user has root access on the workstation.

I'm not sure I completely follow, but try using AUTH_DH; at least that way
(if I understand things correctly), you can trust the client computer.
An attacker would need root acces to your server to mess around with the
keys.  Directories can be shared in a manner that says that client root
users are untrusted, and therefor have no privilege - in fact, it's the
default!

But as for a use authenticating before they can moutn their home directory:
what if I log in as rich, and then say ls ~fred, where fred hasn't logged
in yet?  From what I can tell, you don't want this to work, even though
it's a prefectly reasonable thing to want to do...

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

 
 
 

Authenticated home directory mounts?

Post by res0574 » Sat, 19 Aug 2000 15:45:11


You will need to check into autofs and it comes with Solaris.
When you log into any system the autofs daemon will mount
(or auto mount) the users home directory. The auto files you
want to look at are under /etc.

run this command to see the files.

ls /etc/auto*


> We are looking for a way to share home directories from our file
> server in such a way that the user on a Solaris or Linux workstation
> must authenticate to the server in order to mount her home directory
> there.  Our current configuration has about a dozen home directory
> filesystems exported from our NFS fileserver, with several hundred
> home directories on each filesystem.  This means that the fileserver
> must trust root on the workstation, and that root does the mount after
> the user has authenticated locally.  This scheme is not secure if the
> user has root access on the workstation.

> Is there a way to do this with NFS?  With some other protocol?
> With SMB on a Linux workstation, the user must authenticate to
> the file server in order to do the mount, even though root is required
> to issue the mount command.  This is close to what we need.  Is there
> anything similar available for Solaris?

> --
> -Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

 
 
 

Authenticated home directory mounts?

Post by Gary Mil » Sat, 19 Aug 2000 04:00:00



Quote:>I'm not sure I completely follow, but try using AUTH_DH; at least that way
>(if I understand things correctly), you can trust the client computer.
>An attacker would need root acces to your server to mess around with the
>keys.  Directories can be shared in a manner that says that client root
>users are untrusted, and therefor have no privilege - in fact, it's the
>default!

What I'm hoping to do is to duplicate the way that a Windows 95/98
workstation can mount user's home directories from our samba server,
except that I'd like to use Solaris or Linux workstations instead.
That way, we could provide central file services to people who have
a Unix desktop computer, and who have root access to their computer.
We can't do this with NFS unless we take away root access on the
workstation and do all of the software installation ourselves.

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

 
 
 

Authenticated home directory mounts?

Post by Rich Tee » Sat, 19 Aug 2000 04:00:00



Quote:> What I'm hoping to do is to duplicate the way that a Windows 95/98
> workstation can mount user's home directories from our samba server,
> except that I'd like to use Solaris or Linux workstations instead.
> That way, we could provide central file services to people who have
> a Unix desktop computer, and who have root access to their computer.
> We can't do this with NFS unless we take away root access on the
> workstation and do all of the software installation ourselves.

Are you saying that you want remote root users to be able to read/write
(some of) your shared file systems?  If that's the case, you can share
the file systems with an option that allows this, on a per host basis.
E.g.:

        share -F nfs -o rw=client2:client2:etc,root=trusted_client -d "Home directories" /export/home

With this, the root user on the machine "trusted_client" will have
root privileges on the shared file system.

--
Rich Teer

NT tries to do almost everything UNIX does, but fails - miserably.

The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence.  (With apologies to Edsger W. Dijkstra)

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net

 
 
 

Authenticated home directory mounts?

Post by Gary Mil » Sat, 19 Aug 2000 04:00:00



Quote:>Are you saying that you want remote root users to be able to read/write
>(some of) your shared file systems?  If that's the case, you can share
>the file systems with an option that allows this, on a per host basis.

No, just the opposite.  We want remote ordinary users to be able to
mount and access only their home directory by forcing them to
authenticate to the file server.  We want to prevent root on the
workstation being able to `su' to another user and access her files.

--
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

 
 
 

Authenticated home directory mounts?

Post by Neil W Ricker » Fri, 25 Aug 2000 04:00:00




>>I'm not sure I completely follow, but try using AUTH_DH; at least that way
>>(if I understand things correctly), you can trust the client computer.
>>An attacker would need root acces to your server to mess around with the
>>keys.  Directories can be shared in a manner that says that client root
>>users are untrusted, and therefor have no privilege - in fact, it's the
>>default!
>What I'm hoping to do is to duplicate the way that a Windows 95/98
>workstation can mount user's home directories from our samba server,
>except that I'd like to use Solaris or Linux workstations instead.
>That way, we could provide central file services to people who have
>a Unix desktop computer, and who have root access to their computer.
>We can't do this with NFS unless we take away root access on the
>workstation and do all of the software installation ourselves.

I don't know about linux.  On solaris this works well enough if you
are using NIS+ and secure NFS.  If you don't add the client work
station to the admin nis+ group and don't share with root privileges
for client systems, then root on the client has no special access to
the files on the nfs file system.  That is, root can only access
files that are publically accessible (nobody privileges).  If root
does 'su someuser', then it cannot access the mounted file system at
all as 'someuser', unless 'someuser' has registered his secure nfs
key with 'keyserv'.  If you train your users to keylogout when they
leave a system they don't trust (or, better, don't login to a system
they don't trust), this is reasonably secure.
 
 
 

1. automountd: trying to mount odd home directories(/home/.htaccess)

I'm seeing an error message in my logs:
automountd[163]: Mount of /homes/.htaccess on /home/.htaccess: No such file
or directory

I know that there is no such directory. My question is, how can I determine
what process would be trying to mount this directory? I see this error with
other files as well. Mainly attempts to mount directories for users who
don't have home directories. webuser for example. I'd love to figure out
what's going on and make it quit. Any thoughts?

-mark

2. Mixed usage of libc.a and libc_r.a

3. How to configure Solaris to auto-mount NFS /home directories?

4. Problem with inn

5. Mounting remote "home" directories...

6. abuse, svgalib setup/development under RedHat 4.0 ?

7. Howto: Mount user home directory with NIS

8. Newbie Alert

9. unable to access home directory (NIS User, NFS Mount)

10. Newbie Question: How to get host dependent them management with network mounted home directory

11. Cadence does not work with NFS-mounted home directory

12. Problem mounting home directories

13. DOSEMU: Using EMUFS.SYS to mount home directory?