by Brian K. Stickle » Sat, 07 Dec 1996 04:00:00
Hi,
I inherited a server where there are ALLOW and DENY lines in the
/etc/hosts file! From looking at the wrappers Makefile it appears that
you can name your desired access files (hosts.allow and hosts.deny being
the default names). Can you name the /etc/hosts files as your access
control files? Will the services using wrappers ignore the non-DENY and
ALLOW lines that are in the /etc/hosts file?
Thanks,
news. Thanks)
1. Use tcp wrappers with NIS for access control?
Hi People,
I'm trying to come up with a way of enabling people at remote locations to
access my system safely and securely. Unfortunately not a lot of software is
available with good security built in, particularly on MS-Windows type PCs.
This is further complicated by the fact that I want to provide a full range
of facilities - telnet, email, web, database ....
As I also don't want to have a huge bank of modems here, I thought it would
be a good idea to have a permanent internet connection at this end, and have
my users call in to their local ISP, and connect through to my server.
In an ideal world I'd have, say, IPSEC running end to end. Or SSL, or at
least Kerberos. I can do all that on my server :) but not on my clients :(.
So I thought, how about having a seperate authenticator which opened up
access to the relevant services? Most of the access to services on my system
is controlled by both kernel level ip filtering and tcp wrappers; what if I
open up the kernel level, and dynamically configure tcpd to allow access to
hosts that have checked-in with the super-authenticator - that way:
1) having their passwords for particular services compromised does not in
itself allow access to the hacker.
2) I only have to write the super-authenticator, and not try to re-write the
TCP/IP stack in a Windows CE machine, or write a Data General terminal
emulator for Linux?
I *KNOW* that IPSEC / VPN / SSL / Kerberos...... is a better idea, but it's
still impractical. The reason I'm posting here is to find out how feasible
my solution is....
In order to dynamically grant access to specific hosts I'd need some way of
letting tcpd know who to let in. I've only ever used explicit references in
the hosts.access/deny files, however there is a facility in these files to
reference NIS netgroups. Although I'm acquainted with the theory of NIS I've
never implemented nor managed it; e.g. I'm assuming that I just need to have
my authenticator insert the host ip address in the relevant map database for
ypserv to start to serve it up to the tcpd program - i.e. I don't need to
tell ypserv its database has changed.
Is my understanding of NIS correct for this purpose?
Have I overlooked anything?
TIA
Colin
--
+------------------------------+---------------------------+
| Retype address to send Email | spambots, please send your|
| | Email to |
+------------------------------+---------------------------+
+------------------------------+---------------------------+
2. FA: Lot vintage hard drives mfm,scsi(Seagate/Rodime/Tandon
3. tcp wrappers (TCP/IP daemon wrapper)
4. nfs mount changing user and group
5. switching tcp wrappers from simple to extended control language
6. HELP: question about SUID programs
7. TCP wrappers complaining about multi-homed hosts
9. telnet hosts.allow/deny (tcp wrappers only?)
10. tcp wrapper / multihomed hosts / reverse lookups
11. Using the kernel firewall code like tcp wrappers to harden a single host.
12. Allowing access w/tcp wrappers
13. Portmap access, through tcp wrappers?