On Sun, Aug 20, 2000 at 08:53:04PM -0400, Adam Scriven wrote: > Hey all. > > I've got another machine added to my network (Old 486, 12MB Ram. Debian > went on OK, but the kmod (i think) errors on boot went on for ever), and > I'm wondering what the "best" (if there is such a thing) way of sharing > users and shares between computers? between multiple GNU/Linux or other unix machines i presume.. > I've read a lot of bad press about NFS, so I'm curious about Coda. Right > now I'm using SMBFS, but I'd prefer to use a native linux system, if > there's a better one to use. I have looked at coda, its interesting but does not scale down well (IMO) its designed for large networks such as universities with large local caches. the way i understand coda you have to have enough local cache to store the largest file you are going to ever open. its all far more complicated then what i need. (which is similar to you, just exporting a filesystem to 2 or 3 machines) samba sucks even worse then NFS IMO, there is no user or permission support and its no more secure. as far as i have found the only acceptable option for this type of file sharing is NFS, and that is what i am using with very little problems. the main problems with NFS are as follow: Security: * NFS has NO authentication, the only authentication mechenism it has is a list of IP addresses allowed to connect to a certain export. * NFS has NO encryption, so everything flys across the network in clear. (samba is no different) * NFS requires the evil portmapper, and several RPC services. this is most annoying when you try and firewall off these services since the portmapper has this obnoxious way of randomly assigning port numbers to the RPC services. firewalling is essentially impossible AFAICT (please prove me wrong, and don't tell me about port 2049, try and firewall off rpc.statd sometime) perhaps its possible to firewall off all ports from SYN packets but that seems to break ftp, and several other things (irc DCC et al) (any reccommendations on a good firewalling book are welcome) * NFS trusts the client, the client enforces permissions for the most part. NFS by default (on linux anyway) maps root to nobody, but this does you no good on a partition like /home since most files are not owned by root and root can become anyone he wishes. the only thing squashing root really does on /home is prevent a remote root from creating a suid shell but you better protect against that by mounting /home nosuid on the server (and the clients). any protocol which trusts the client is inherently broken in regards to security. there is however apparently a secure implemenatation of portmap which uses something similar to ssh's RSA authentication. this also solves the problem of root being able to access everything on a server. but AFAIK secure portmap is not supported on linux. (i think NFSv4 is supposed to solve alot of security problems as well) NFS implementation/compatiblity: * The linux NFS implementation really just plain sucks, there is just no nice way of saying it. the userspace nfsd does not support file locking which will break things (for example running windowmaker with NFS mounted /home will just segfault all the time with the userland nfsd) The kernel space nfsd does support file locking and also is far faster and more efficient (the userland daemon consumes 98% of CPU resources when you copy any significant ammount of data) the problem is kernelspace nfsd is only compatible with linux clients (or so the docs say) also linux lacks support for NFSv3 which is apparently an improvment over NFSv2 which it does support. one problem i have had with NFS (kernel space nfsd) with exported /home is mutt. i use mutt's mailboxes feature which lets me know when new mail is delivered into a mailbox (say in-debian-user) then i only have to hit `c' to change to that mailbox, read the mail and hit `c' again to switch to the next mailbox with new mail. the problem is with NFS mounted /home (where ~/Mail and all my in-* mailboxes are) once new mail has been noticed by mutt in a mailbox it always thinks there is new mail there, even when i delete all of it and the mailbox is empty, this causes mutt to simply go in circles when i change mailboxes, new mail in foo -> new mail in bar -> new mail in foo... i have not found a solution to this other then sshing into the server and use mutt there. > Also, I'm wondering about NIS, but I've got no experience with that at all. NIS is also insecure, and requires evil portmapper. NIS+ is apparently more secure (but again linux support is poor AFAICT) the problem with NIS is more that anyone can get a copy of the hashed passwords and thus you are prevented from using shadowed passwords. i think there are other problems as well. i am not as familier with NIS however. i don't use any distributed authentication system at the moment. > Can anyone point me in the right direction? i would say what your looking for is NFS for file sharing, just read up on it and do what you can to maintain security. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpV80LFzQidt.pgp
Description: PGP signature