Table of Contents
IntroductionNIS Server
Kerberos Server
NFS Server
Add a host to the LAN
Managing users
Problems and solutions
Introduction
In this article I will show how to setup a secure LAN for your FreeBSD machines.
The goals
- Maintain central users directory service (no need to copy master.passwd & friends to each client host)
- Keep /usr/home on the server. All the clients will mount it using NFS
- Restrict access to NFS shares to authorized users only so that NFS shares could be even exported to a public WiFi net.
The technologies
- NIS (Network Information Service)
NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. - Kerberos
Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. - Kerberized NFS (Network File System)
NFS is a distributed file system protocol allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.
Implementation
Actually NIS can not only distribute user account info (uid, gid, shell, etc) but also authenticate the users.
However in such cases, any NIS client can retrieve the entire password database for offline inspection. ypcat passwd command will show NIS master.passwd file along with password hashes so one could try to brute-force the passwords.
Kerberos was designed to handle authentication in a more secure manner.
Besides, we want Kerberos-protected NFS shares so we will use Kerberos to authenticate the users anyway.
The LAN
- We have DNS server up and running, the local zone is "lan"
- Master server: coffin.lan.
- NIS domain name will be also be "lan", Kerberos realm — "LAN".
In this setup, the server will provide NIS and Kerberos services to the LAN but will itself use /etc/master.passwd authentication only.
Before we begin new kernel is needed on server and all the clients. Add this to kernel configuration file:
# Kerberized NFS options KGSSAPI device crypto
Build and install new kernel.