SECURE NIS VIA SSH TUNNELLING John Bowman Christian Mueller http://www.math.ualberta.ca/imaging/snfs 06 June 2003 INSTALLATION INSTRUCTIONS 0. RESTRICTIONS Sec_rpc supports secure NIS (SNIS) via ssh tunneling to a single NIS server. It is assumed that ypserv and rpc.yppasswdd are already running on the NIS server and that there is only one NIS server for the whole NIS domain. In order to work under SNIS, the NIS client programs yppasswd and ypcat must be patched, as described in Section 9 for the Linux version of these tools. 1. SETUP LOOPBACK NIS ON REMOTE HOST. On the remote NIS server (which we will call REMOTE), ypserv and rpc.yppasswdd must be running. You can do this with the following steps. In my explanation I use the RedHat/SUSE notation to start a service: /etc/init.d/... start - Determine the DOMAINNAME for this NIS domain. All clients must have the same DOMAINNAME. - In /var/yp/securenets restrict the access to ypserv to localhost and to REMOTE. - In /etc/hosts.allow access to portmap, ypserv and rpc.yppasswdd from REMOTE must be allowed. - We assume you are using shadow passwords. Normally all NIS users and groups must have an id >= 500. Otherwise you must modify /var/yp/MAKEFILE. - Create the NIS map files with the command cd /var/yp; make All of the information that the NIS server distributes is in these dbm databases. - The configuration file for ypserv is /etc/ypserv.conf Now start ypserv with the command /etc/init.d/ypserv start - The configuration data of ypbind is stored in /etc/yp.conf Make sure that this file has only one valid line: domain DOMAINNAME server REMOTE replacing DOMAINNAME and REMOTE by the corresponding values. Now start ypbind on the client with /etc/init.d/ypbind start. Ypbind checks all servers in the domain listed in /etc/yp.conf and decides which NIS server to use. In this case, the NIS server is unique, so there is only one line in /etc/yp.conf. - The NIS server and client are now running on REMOTE. Test the comands: ypwhich, ypcut passwd and ypmatch USER passwd Here, USER must be an exported username with uid >= 500. - To enable the password-changing service start rpc.yppasswdd with /etc/init.d/yppasswd start Now you can change a password as root with yppasswd user or as normal user with yppasswd 2. BUILD AND INSTALL THE NECESSARY FILES. By default the executable files will be installed in /usr/local/bin Make sure that this directory is in the path. On both the remote and local computers, in the top directory of sec_rpc do the following: ./configure make install-snis 3. CONFIGURE THE CONNECTION TO REMOTE ON EACH CLIENT. On each local NIS client, create a configuration file for REMOTE: cp NIS/TEMPLATE /usr/local/etc/snis/REMOTE where REMOTE is the hostname of the NIS master server. In the file REMOTE, change each occurrence of REMOTE to the NIS server name and each occurrence of LOCALHOSTNAME to the NIS client name. 4. CONFIGURE YPBIND ON THE CLIENT Make sure that no ypbind deamon is running on the client. The configuration data of ypbind is stored in /etc/yp.conf. Make sure that this file has only one valid line: domain DOMAINNAME server LOCALHOSTNAME where DOMAINNAME is the domainname declared earlier and LOCALHOSTNAME is the name of the local host. 5. TEST THE SETUP. Create a secure user snfs (e.g. uid=87, gid=87) on both machines. On the local computer, start the tunnel in debug mode: rpc_psrv -r -d /usr/local/etc/snis/REMOTE Enter REMOTE's root password when prompted. In another window on the client, start ypbind. Now ypwhich returns the name of the NIS server. This will be the name of the NIS client, because ypwhich thinks the tunnelled rpc_psrv proxy is the real server. With ypmatch user passwd you get all passwd data from the specified user. 6. AUTOMATE THE SETUP. This topic works similar to snfs. Set up passwordless ssh public key access from the snfs account on the local machine to the snfs account on REMOTE, using empty passphrases. Verify that you can log into REMOTE as user snfs, without a password. Normally, secure NIS should be initiated as root. In this case, rpc_psrv will be run as user snfs; instead of making the connection root -> root, the connection will be snfs -> snfs. In the top directory of sec_rpc on REMOTE, use the following command to change the group of the installed program rpc_pcl to snfs, turn the setuid bit on, and change the ownership of /usr/local/etc/snis to snfs: make setuid To change ownership without making rpc_pcl setuid (in case you want HOST to be only a client and not a secure NFS server), you may instead do this: make ownership 7. CONGRATULATIONS. You are ready to start and stop SNIS on the local computer: /usr/local/etc/init.d/snis REMOTE start /usr/local/etc/init.d/snis REMOTE status /usr/local/etc/init.d/snis REMOTE stop 8. TROUBLESHOOTING. To diagnose an error message, consult the file NFS/FAQ and the TROUBLESHOOTING section of the file README.NFS. 9. PATCHES OF YPCAT AND YPPASSWD. For the LINUX operating system, we have prepared a patch for ypcat and yppasswd, so that these utilities can be used with SNIS. The command make install-syp will automatically apply the patch yp-tools.patch once the gzipped source tar file yp-tools-*.*.tar.gz from ftp://ftp.kernel.org/pub/linux/utils/net/NIS/ is placed in the NIS subdirectory. The modified versions of yppasswd and ypcat, which support tunnelling, are called syppasswd and sypcat, respectively. By default, these replacements programs will be installed in /usr/local/bin If desired, they can be used as drop-in replacements for the original (insecure) versions of yppasswd and ypcat. Some remarks about the patch: the RPC communication for ypcat has been changed from TCP to UDP since sec_rpc only tunnels UDP traffic. The master NIS server appears on the client as if it were the local host. You may redistribute it and/or modify this file under the terms of the GNU General Public License (see the file LICENSE).