Secure Unix LAN (NIS and Kerberized NFSv4)

Introduction

by ross at 17:07:18 on March 20, 2014

In this article I will show how to setup a secure LAN for your FreeBSD machines.

The goals

  • Maintain central users directory service (no need to copy master.passwd & friends to each client host)
  • Keep /usr/home on the server. All the clients will mount it using NFS
  • Restrict access to NFS shares to authorized users only so that NFS shares could be even exported to a public WiFi net.

The technologies

  • NIS (Network Information Service)
    NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network.
  • Kerberos
    Kerberos is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
  • Kerberized NFS (Network File System)
    NFS is a distributed file system protocol allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.

Implementation

Actually NIS can not only distribute user account info (uid, gid, shell, etc) but also authenticate the users.

However in such cases, any NIS client can retrieve the entire password database for offline inspection. ypcat passwd command will show NIS master.passwd file along with password hashes so one could try to brute-force the passwords.

Kerberos was designed to handle authentication in a more secure manner.

Besides, we want Kerberos-protected NFS shares so we will use Kerberos to authenticate the users anyway.

The LAN

  • We have DNS server up and running, the local zone is "lan"
  • Master server: coffin.lan.
  • NIS domain name will be also be "lan", Kerberos realm — "LAN".

In this setup, the server will provide NIS and Kerberos services to the LAN but will itself use /etc/master.passwd authentication only.

Before we begin new kernel is needed on server and all the clients. Add this to kernel configuration file:

# Kerberized NFS
options         KGSSAPI
device          crypto

Build and install new kernel.

Comments