On 12.06.2006, Chris Davies <chris-usenet@roaima.co.uk> wrote:
> tech11 <tech11@sohu.com> wrote:
>> I've set up one LAN with NIS account verification, and limit visit to
>> switcher ports with MAC address binding, but I think it not so safe.
>
> Doesn't sound too bad to me. Presumably NIS+ rather than NIS?

Do you know _any_ NIS+ _server_ implementation working under Linux?

>> If one person use his laptop and make the same MAC address with working
>> machine and then connect into the LAN and set domain and NIS server,
>> he'll get all the visiting to the server and have the way to get data
>> to his laptop, which is awful.
>
> Don't trust MAC addresses implicitly. Instead, use them as part of your
> security blanket.

Didn't tech11 said that he don't want to trust MAC addresses?

>> Is there any way to avoid it?
>
> Ssh with public/private certificates for encrypting simple traffic from
> client to server. Kerberos V5 for authenticating users, hosts, and
> services.

How would you forward UDP traffic over SSH? Except setting up VPN
(recent versions of OpenSSH).

--
Feel free to correct my English
Stanislaw Klekot