[ Pobierz całość w formacie PDF ]
.Youshould install it as Makefile in your map directory and edit it to reflect the maps you want the NIS server toshare.Towards the top of the file, you'll find the all target that lists the services ypserv offers.By default, theline looks something like this:all: ethers hosts networks protocols rpc services passwd group netidIf you don't want to produce, for example, the ethers.byname and ethers.byaddr maps, simply remove the ethersprerequisite from this rule.To test your setup, you can start with just one or two maps, like the services.* maps.After editing the Makefile, while in the map directory, type make.This will automatically generate and installthe maps.You have to make sure to update the maps whenever you change the master files, otherwise thechanges will remain invisible to the network.The section "Setting Up an NIS Client with GNU libc" will explain how to configure the NIS client code.If yoursetup doesn't work, you should try to find out whether requests are arriving at your server.If you specify the --debug command-line flag to ypserv, it prints debugging messages to the console about all incoming NIS que-ries and the results returned.These should give you a hint as to where the problem lies.Tobias's server doesn'thave this option. 186NIS Server SecurityNIS used to have a major security flaw: it left your password file readable by virtually anyone in the entire Inter-net, which made for quite a number of possible intruders.As long as an intruder knew your NIS domain nameand the address of your server, he could simply send it a request for the passwd.byname map and instantly re-ceive all your system's encrypted passwords.With a fast password-cracking program like crack and a gooddictionary, guessing at least a few of your users' passwords is rarely a problem.This is what the securenets option is all about.It simply restricts access to your NIS server to certain hosts, basedon their IP addresses or network numbers.The latest version of ypserv implements this feature in two ways.The first relies on a special configuration file called /etc/ypserv.securenets and the second conveniently uses the/etc/hosts.allow and /etc/hosts.deny files we already encountered in Chapter 12, Important Network Features.77Thus, to restrict access to hosts from within the Brewery, their network manager would add the following line tohosts.allow:ypserv: 172.16.2.This would let all hosts from IP network 172.16.2.0 access the NIS server.To shut out all other hosts, a corre-sponding entry in hosts.deny would have to read:ypserv: ALLIP numbers are not the only way you can specify hosts or networks in hosts.allow and hosts.deny.Please refer tothe hosts_access(5) manual page on your system for details.However, be warned that you cannot use host ordomain names for the ypserv entry.If you specify a hostname, the server tries to resolve this hostname -- but theresolver in turn calls ypserv, and you fall into an endless loop.To configure securenets security using the /etc/ypserv.securenets method, you need to create its configurationfile, /etc/ypserv.securenets.This configuration file is simple in structure.Each line describes a host or network ofhosts that will be allowed access to the server.Any address not described by an entry in this file will be refusedaccess.A line beginning with a # will be treated as a comment.Example 13-1 shows what a simple/etc/ypserv.securenets would look like:Example 13.1: Sample ypserv.securenets File# allow connections from local host -- necessaryhost 127.1# same as 255.255.255.255 127.1## allow connections from any host on the Virtual Brewery network255.255.255.0 172.16.1.0#The first entry on each line is the netmask to use for the entry, with host being treated as a special keywordmeaning "netmask 255.255.255.255." The second entry on each line is the IP address to which to apply the net-mask.A third option is to use the secure portmapper instead of the securenets option in ypserv.The secure portmap-per (portmap-5.0) uses the hosts.allow scheme as well, but offers this for all RPC servers, not just ypserv.78However, you should not use both the securenets option and the secure portmapper at the same time, because ofthe overhead this authorization incurs [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl odbijak.htw.pl
.Youshould install it as Makefile in your map directory and edit it to reflect the maps you want the NIS server toshare.Towards the top of the file, you'll find the all target that lists the services ypserv offers.By default, theline looks something like this:all: ethers hosts networks protocols rpc services passwd group netidIf you don't want to produce, for example, the ethers.byname and ethers.byaddr maps, simply remove the ethersprerequisite from this rule.To test your setup, you can start with just one or two maps, like the services.* maps.After editing the Makefile, while in the map directory, type make.This will automatically generate and installthe maps.You have to make sure to update the maps whenever you change the master files, otherwise thechanges will remain invisible to the network.The section "Setting Up an NIS Client with GNU libc" will explain how to configure the NIS client code.If yoursetup doesn't work, you should try to find out whether requests are arriving at your server.If you specify the --debug command-line flag to ypserv, it prints debugging messages to the console about all incoming NIS que-ries and the results returned.These should give you a hint as to where the problem lies.Tobias's server doesn'thave this option. 186NIS Server SecurityNIS used to have a major security flaw: it left your password file readable by virtually anyone in the entire Inter-net, which made for quite a number of possible intruders.As long as an intruder knew your NIS domain nameand the address of your server, he could simply send it a request for the passwd.byname map and instantly re-ceive all your system's encrypted passwords.With a fast password-cracking program like crack and a gooddictionary, guessing at least a few of your users' passwords is rarely a problem.This is what the securenets option is all about.It simply restricts access to your NIS server to certain hosts, basedon their IP addresses or network numbers.The latest version of ypserv implements this feature in two ways.The first relies on a special configuration file called /etc/ypserv.securenets and the second conveniently uses the/etc/hosts.allow and /etc/hosts.deny files we already encountered in Chapter 12, Important Network Features.77Thus, to restrict access to hosts from within the Brewery, their network manager would add the following line tohosts.allow:ypserv: 172.16.2.This would let all hosts from IP network 172.16.2.0 access the NIS server.To shut out all other hosts, a corre-sponding entry in hosts.deny would have to read:ypserv: ALLIP numbers are not the only way you can specify hosts or networks in hosts.allow and hosts.deny.Please refer tothe hosts_access(5) manual page on your system for details.However, be warned that you cannot use host ordomain names for the ypserv entry.If you specify a hostname, the server tries to resolve this hostname -- but theresolver in turn calls ypserv, and you fall into an endless loop.To configure securenets security using the /etc/ypserv.securenets method, you need to create its configurationfile, /etc/ypserv.securenets.This configuration file is simple in structure.Each line describes a host or network ofhosts that will be allowed access to the server.Any address not described by an entry in this file will be refusedaccess.A line beginning with a # will be treated as a comment.Example 13-1 shows what a simple/etc/ypserv.securenets would look like:Example 13.1: Sample ypserv.securenets File# allow connections from local host -- necessaryhost 127.1# same as 255.255.255.255 127.1## allow connections from any host on the Virtual Brewery network255.255.255.0 172.16.1.0#The first entry on each line is the netmask to use for the entry, with host being treated as a special keywordmeaning "netmask 255.255.255.255." The second entry on each line is the IP address to which to apply the net-mask.A third option is to use the secure portmapper instead of the securenets option in ypserv.The secure portmap-per (portmap-5.0) uses the hosts.allow scheme as well, but offers this for all RPC servers, not just ypserv.78However, you should not use both the securenets option and the secure portmapper at the same time, because ofthe overhead this authorization incurs [ Pobierz całość w formacie PDF ]