| View previous topic :: View next topic |
| Author |
Message |
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
 Posted: Sun Jul 20, 2008 1:27 pm Post subject: Assignement of hosts names [solved] |
 |
|
Hello,
I was wondering about the assignement of hosts names. I know that we can give names with DHCP:
/etc/dhcp.conf
| Code: | [...]
# Host name
host livingroom {
hardware ethernet 00:00:4C:71:46:68;
fixed-address 192.168.1.5;
} |
So I can use "livingroom" in the NFS server, right ? This way, a NFS sharing folder is more secure than with only ip (because the MAC address is controled, it's more secure but not the most secure). What are the other programs that use these names ? (finally how do you call these names ?)
An exemple with NFS server:
/etc/exports
| Code: | | /home/livingroom/ livingroom(root_squash, ...) |
So only the computer "livingroom" with IP 192.168.1.5 which has been authentified through DHCP can mount this directory, is that right ?
How can I set host name manually, is there only /etc/hosts to do it ? Is there a software to do it clearly, kind of :
hostsnames -a 192.168.1.10 name-test (to add a host name)
hostsnames -d name-test (to remove one)
It will be useful for me for some Python scripts.
Any help would be appreciated.
Last edited by Jamesbch on Mon Jul 28, 2008 9:34 am; edited 1 time in total |
|
| Back to top |
|
 |
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Sun Jul 20, 2008 6:24 pm Post subject: |
|
|
I think you are mixing things up. The configuration you posted was taken from the ISC DHCP server, right? (The default config file is /etc/dhcp/dhcpcd.conf on Gentoo).
In the host declaration
the hostname parameter is nothing more than the identifier which is matched against the dhcp-client-identifier if the client provides one (see dhcpd.conf(5) for details). This has nothing to do with name resolution (DNS) or NFS. (And by the way, the client can choose any dhcp-client-identifier it wants.)
If you specify (fully qualified) hostnames in /etc/exports, this only works if you either have a working DNS server on you network (including reverse lookups) or you have entered the information into /etc/hosts. Again, this is completely independent of DHCP because the NFS server does not care where the client got it's IP address from.
Finally, if you want to dynamically map (fully qualified) hostnames to IP addresses depending on the IP address provided for the DHCP server, you can do this by running a DNS server on your network and instructing the ISC DHCP daemon to dynamically update DNS records for each client. This works quite well with ISC's DNS server (bind), but the configuration is anything but trivial if you have never run a DNS server before. Maybe there is some other way such as updating /etc/hosts, don't know about that.
Anyway... why don't you just use IP addresses in /etc/exports to bypass this problem? I don't think that security considerations warrant the extra effort for a private LAN. |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Mon Jul 21, 2008 5:38 pm Post subject: |
|
|
Hello aceFruchtsaft,
thank you very much for your answer. I won't mixe things up any more 
Two others questions :
- How can I secure the NFS easily ? (With a login and/or password ?)
- Can I configure DHCP to execute something when a new client is requesting a DHCP lease ? (So I can do the way I though to secure manually)
Thank you again. |
|
| Back to top |
|
|
gentoo_ram
Guru
Joined: 25 Oct 2007
Posts: 513
Location: San Diego, California USA
|
| Posted: Tue Jul 22, 2008 10:03 pm Post subject: |
|
|
| Jamesbch wrote: |
- How can I secure the NFS easily ? (With a login and/or password ?)
|
There is no security in NFS v2 or v3 other than via IP address. NFS v4 has security, but it isn't easy. It involves Kerberos, certificates, time synchronization, etc, etc. And again, it depends on hosts, not users.
| Jamesbch wrote: |
- Can I configure DHCP to execute something when a new client is requesting a DHCP lease ? (So I can do the way I though to secure manually)
|
I'm don't know offhand. You can read the docs. But I don't understand the point. There is no security anyway in NFS. Period. Any computer can be plugged into your LAN and statically configured with the IP address 192.168.1.5 and get all the access they want. The DHCP server can't 'enforce' anything. The only other way I can think of to get security for NFS is via IPsec or something like that. Again, not easy.
Samba provides user/password authentication. And it can support 'unix extensions', case sensitivity, etc. to make it more Unix-like. If you want user/password authentication, maybe that's the way to go. |
|
| Back to top |
|
|
kevstar31
Guru
Joined: 22 Nov 2006
Posts: 449
Location: Ohio
|
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Wed Jul 23, 2008 12:55 am Post subject: |
|
|
| Jamesbch wrote: |
- How can I secure the NFS easily ? (With a login and/or password ?)
|
Well as long as you take "security" as is, considering you're not working for fbi, it should be enough like that:
-configure dhcp to allow a range of ip oustide your personnals computers ip (ie: 192.168.1.100-> 192.168.1.255 and you kept 192.168.1.1->192.168.1.99 for your computers as static ip)
-add to /etc/hosts your computers like that
127.0.0.1 localhost
192.168.1.5 livingroom.fqdn livingroom
just as : echo 192.168.1.5 livingroom.fqdn livingroom >> /etc/hosts (yep >> not >)
-fix your nfs for local network only, add that in /etc/hosts.allow
portmap: LOCAL 192.168.1.*
lockd: LOCAL 192.168.1.*
mountd: LOCAL 192.168.1.*
statd: LOCAL 192.168.1.*
and in /etc/hosts.deny
ALL: ALL
-now you can export as livingroom(rw,...)
It should enough for a personal network |
|
| Back to top |
|
|
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Wed Jul 23, 2008 7:34 am Post subject: |
|
|
I agree with krinn's proposal, however, you should also consider other security issues:
Unless you want to prevent your girlfriend/wife/kids, etc.. , i.e. legitimate LAN users, from accessing specific NFS shares, you should be much more concerned with protecting you LAN against unwanted intruders. No one will be able to access your NFS server anyway unless they gain access to you LAN, which is much more worrying. On the other hand, if no one is able to hack into your LAN, you NFS shares are safe even without NFS-specific precautions.
So make sure that you have a firewall enabled on you router, don't have any port forwarding configured into you LAN, use WPA and MAC filtering if you have wireless, etc.. |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Mon Jul 28, 2008 9:33 am Post subject: |
|
|
| Thank you all. Solved. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
