[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Problem with Authentification



Dear Madams and Sirs,

we have here a small, trusted network (with trusted users) that consists
of a heterogenous (i.e., Suse, Redhat, Solaris) set of machines and
operates a common, unified file system (w/ autofs and nis).

We also would like to provide a convenient mechanism to remotely login
to the various machines. This is especially important for shell scripts
which have to run various parts of our process on different machines
which have different sets of softwa

After an internal evaluation, we came to the conclusion that rsh/rlogin
is a better solution than ssh. Ssh comes with an overhead about
authentification that is not justified in our small, trusted network.
Also its encryption limits its performance. e.g., when transferring
large amounts of data through remote copy or pipes. We also don't like
to switch off these mechanisms in ssh because we still would like to use
a strongened ssh for connections outside our network. If we were
selectively switching off ssh's security mechanisms, we would see a risk
that we would introduce wholes in our security system (mainly because of
human-cause configuration errors). We would like to keep rsh and ssh
separated.

My favorite solution would be to use /etc/hosts.equiv, e.g.
+@catnet
in order to enable for the whole netgroup.
(fyi.
> ypmatch -k catnet netgroup
yields:
> catnet (veltins,,) (holsten,,) (spaten,,) (andechs,,) (becks,,) (paulaner,,)
Then, I would like to rsh, e.g.:
> rsh andechs pwd

Alternatively, I could put either of those
> @catnet gordon
> +@catnet gordon
> +@catnet
> @catnet
into .rhosts. That does not work either. The only thing that would is to put the whole list of hosts literally into .rhosts
holsten gordon

BTW, in my /etc/nsswitch.conf, it says:
> netgroup:       files nis

What is wrong with it? How can I get get good-old hosts.equiv back to work again?

It might have something to do with PAM. I don't understand PAM though, and I don't find anything about my topic in its documentation.

Best Regards,
Gordon.



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here