rogerj@batcomputer.tn.cornell.edu (Roger Jagoda) (03/17/90)
Folks, I have just a quick question about server security. Like most sites, we are getting more and more machines based on client-server models. We have SPARC, DEC 3100s, and NeXTs (yup, 35 of 'em, cute little cubes!). Each runs on small LANs all connected together. Now, we use YP and its equivalences on these LANs to administer passwd, group, printer, and other administration chores. We'd LIKE to reduce security risks by limiting access (rlogin, ftp, telnet) to the servers. Our hopes are that no one can (either intentionally or unintentionally) start a run-away process or clog a proc table bad enough to crash a server effecting many other machines. Is there a way to limit rlogin, telnet, ftp access to just a few users (the net administrators). You can set up anonymous ftp which means there's a way to REMOVE some security but can you ADD more security to these services. Or is what I'm describing part of MIT's KERBEROS? The overall problem is that these servers are usually mounted FS's for all other machines (for /users as $HOME dirs., or /clients for netboot machine FS trees) via nfs. So any security we add can't interfer with that. Are we looking for too much? Can you export a server's disks without allowing access to user logins directly? Thanks in advance for all tips and advice. If there's interest, I'll summarize back to the nets. --Roger Jagoda --Cornell University --FQOJ@CORNELLA.CIT.CORNELL.EDU
paul@ixi.co.uk (Paul Davey) (03/23/90)
In article <9926@batcomputer.tn.cornell.edu> rogerj@tcgould.tn.cornell.edu (Roger Jagoda) writes: > >Is there a way to limit rlogin, telnet, ftp access to just >a few users (the net administrators). ... Set up a netgroup named say "admin" under yp with your administrators listed as a set of users, leave the domain and machine fields empty (wild). In your server passwd files use +@admin instead of + to include just the members of the admin group. The only problem I have found with this is that the yp master passwd file is usually on a server... -- Regards, paul@ixi.co.uk IXI Limited Paul Davey ...!uunet!ixi!paul 62-74 Burleigh Street +44 224 462 132 (fax) Cambridge U.K.
jim@cs.strath.ac.uk (Jim Reid) (03/28/90)
In article <Mar90.193112.9456@ixi.co.uk> paul@ixi.co.uk (Paul Davey) writes: }In article <9926@batcomputer.tn.cornell.edu> }rogerj@tcgould.tn.cornell.edu (Roger Jagoda) writes: }>Is there a way to limit rlogin, telnet, ftp access to just }>a few users (the net administrators). ... } }Set up a netgroup named say "admin" under yp with your }administrators listed as a set of users, leave the domain }and machine fields empty (wild). }In your server passwd files use +@admin instead of + to }include just the members of the admin group. } }The only problem I have found with this is that the yp master }passwd file is usually on a server... Of course, if you're using YP, security has long gone out the window..... Jim