managing user accounts without NIS

dwight dwight at supercomputer.org
Sun May 21 09:09:04 PDT 2000


Donald Becker wrote:

> On Sun, 21 May 2000, dwight wrote:
>
> > Victor Ortega wrote:
> >
> > > NIS and NFS are insecure and incur performance penalties.  I'm looking
> > > for better alternatives.  My idea of setuid-root wrappers (using rsync
> > > for distribution of relevant files) already provides a more secure,
> > > high-performance, high-availability alternative; I just want to make
> > > sure that there isn't something better out there already, and that I'm
> > > not overlooking some potential security hole.
> >
> > Just using rsync per se might well subject you to a man-in-the-middle
> > attack, or a spoofing attack. ssh/scp would be a better tool.
>
> An important element of Beowulf clusters is that they have a private,
> protected internal network.

Agreed; but security seems to be an issue with his setup.

> There is no possible spoofing attack.

There would be if physical security wasn't guaranteed. The question was
about not overlooking potential security holes, and this is one of them.

This is especially important at .edu sites, as I've found that college students
can be most enterprising.

> 'Ssh' imposes a large performance burden for its security.

I agree if you're talking about using ssh for all your connections; but it's not
not that big of a deal if one is simply using scp to copy over /etc/[passwd, shadow].

The burden here would be in the administration of all the keys.

In his particular case, it might be worth it rather than broadcasting
/etc/shadow in the clear.

Best Regards,

    -dwight-

---------------------------------------------------------------------------
The Beowulf Mailing list archives can now be searched by visiting:
        http://www.supercomputer.org/Search/
The Calendar of Events in supercomputering can be found at:
        http://www.supercomputer.org/calendar/







More information about the Beowulf mailing list