Shared libraries

[Chris Siebenmann]

mohta at necom830.cc.titech.ac.jp (Masataka Ohta) writes:
| If some interface of a gateway is down, it is necessary to reach there
| by explicitely specifying its IP address or its name.
| Even if software is written properly, it is usually annoying to wait
| time-out of the first IP address.

 Locally, cases when one interface is down but the rest of the machine
is up are vanishingly small. As a sysadmin, when I suspect that a
particular interface has flaked out, I always use an interface-specific
hostname or IP address, instead of relying on telnet fallbacks.  I
would claim that sufficiently much else breaks when an interface goes
down that for ordinary users, a down interface is roughly equivalent to
a down machine.

| The user should authentificate all of IP addresses, for simplicity.
| Anyway, X11 with IP-based connection authentification is not a real
| authentification.

 Without a 4.3BSD style struct hostent, this requires the user to know
all of the interfaces on a particular machine, which is not what I
consider reasonable. I'm aware of the flaws in the host-based
authentification for X, and use better mechanisms when possible, but
most groups around here have yet to upgrade to X11R4 for various
reasons.

| A little better autehtification is by .rhosts.

 Use of .rhosts is impractical for X11 connections; for one thing, I
may not have .rhosts entries although I want an X connection for that
particular pair, either for organizational or technical reasons.

 With 4.2BSD style struct hostents, .rhosts-based authentification can
get fouled up by an intelligent, nameserver-aware rlogind that does
checking by forward-mapping from hostnames, instead of reverse mapping
from IP addresses. You can say it's a bad thing to run such a daemon on
non-DNS systems, but we have systems (like Ultrix) where one can
configure which lookup mechanisms to use, and in what order, and the
/etc/hosts based one only returns one IP address for a particular
hostname while the DNS ones return multiple IP addresses.

| > On the other hand, network topology updates are often distributed,
| >not centralized.
| Network topology updates affect routing and often cause network trouble.
| So, it should be informed to all related administrators.

 Perhaps it often causes trouble in your organization; it doesn't in
ours. Anything short of a major backbone reorganization tends to
confine its effects to the groups or departments involved. I think this
is a good thing, and something to strive for. Also, being informed of a
change is somewhat less work than having to run around and fix various
netgroups (or whatever) files, and making sure these propagate.

| >I don't have any idea whether or not the Department
| >of Statistics is splitting their network today, nor if this will
| >affect any of my users or any of their users who're trying to use my
| >machines.
| Consider the case where you have your account in Department of Statistics
| and want to trust all workstations there.

 The authentification and authorization mechanisms in things like
rlogind need work, agreed. Perhaps something like Kerberos Realms is
the right way to go. But it's an sepperate issue.

 In this specific case, I would re-run a script which generates my
.rhosts file; the script includes all the machines it finds in
/etc/hosts that are in specific domains. Inside the Dept. of Stats,
they probably use /etc/hosts.equiv to let everyone cross-rlogin
without needing to know about .rhosts.

| As the addition of non-gateway hosts is much more frequent and often
| distributed, it is convenient for users that authentification is done
| with netgroups of NIS.

 We don't use NIS locally, considering it a vile swill of bugs,
inefficiencies, and security holes; we tend to distribute around
necessary information in other, often more efficient ways.
Unfortunately, we'd like to use netgroups without running NIS, a
feature most vendors have never heard of (NFS permissions is the big
thing here; periodically we hack new mountd's up to do netgroups
without NIS, a fairly minor change if you have source).

--
"If the vendors started doing everything right, we would be out of a
 job.  Let's hear it for OSI and X!  With those babies in the wings,
 we can count on being employed until we drop, or get smart and switch
 to gardening, paper folding, or something."	- C. Philip Wood
cks at hawkwind.utcs.toronto.edu	           ...!{utgpu,utzoo,watmath}!utgpu!cks