rogerj@batcomputer.tn.cornell.edu (Roger Jagoda) (03/17/90)
Folks, We have been struggling with an access problem on our NeXT-net that some of you might also have been facing/dealing with. I have seen little discussion of it here however, so I'll bring it up hoping to share/gain ideas. We have a NeXT-net with five file-servers (660MB drives, 2 part- itions each - "/" and "/clients", the latter is the netboot client tree, the former is where /Users directory is), and about 30 netboot clients (40 MB disks). The whole thing is governed by netinfo and all machines are part of the "/" domain and all machines mount each file server's "/" to get to /Users. Now the questions: --How can we limit access to the file servers? Any user can sit at any machine and find his/her $HOME directories because /Users from the file servers are exported and mounted in the "/" domain. However, this means that the servers are also part of that domain and people could also log into those (remotely, we keep the machines outside the room, but rlogin and telnet access is still possible). Of course the best of all worlds is where the net administrators CAN log into the servers, but the average users cannot. An idea we have been thinking about: Suppose the servers are themselves ANOTHER domain with just four or five users (the net administrators). The servers then would have their own "/" domain, and the netboot clients another. Problem is that to be a netboot client, a diskless machine HAS to be part of the same netinfo domain so we're not sure this is possible. Another problem is can one "/" domain machine mount nfs disks in another "/" domain...? Another idea is to have a smaller machine, say one with a 330 disk, act as netboot and netinfo configuration server. This machine would keep the netinfo databases and supply the kernel (via tftpboot), but machines would mount nfs disks on the larger machines which would NOT have any passwd file or symbolic links to $HOME for users. Even if users DO telnet to those machines, they should get "permission denied errors as they should have a way to get to their $HOME dirs. --Alternatively, there's the age-old UNIX question...can you secure ftp, rlogin, telnet lines to just certain individuals. I mean you can have anonymous ftp, so SOME form of security can be REMOVED from those lines. But, can you ADD security? A solution that works (but is combersome) is to ignore the "/" netinfo domain. Load all passwd entries into the "." domain of each netboot client EXCEPT the servers, but then you sort of defeat the purpose of netinfo which is to LOWER overall maintenance chores. Having 30 or so passwd files to maintain is the opposite of that effect, but certainly a sollution. We're just looking for a better way. Has anyone else struggled with this and cares to share their experiences? Thanks in advance! --Roger Jagoda --Cornell University --FQOJ@CORNELLA.CIT.CORNELL.EDU