Standards, Environments, and Macros nfssec(5)
NAME
nfssec - overview of NFS security modes
DESCRIPTION
The mountnfs(1M) and sharenfs(1M) commands each provide a
way to specify the security mode to be used on an NFS file
system through the sec=mode option. mode can be sys, dh,
krb5, krb5i, krb5p, or none. These security modes can also
be added to the automount maps. Note that mountnfs(1M) and
automount(1M) do not support sec=none at this time.
mountnfs(1M) allows you to specify a single security mode;
sharenfs(1M) allows you to specify multiple modes (or
none). With multiple modes, an NFS client can choose any of
the modes in the list.
The sec=mode option on the sharenfs(1M) command line estab-
lishes the security mode of NFS servers. If the NFS connec-
tion uses the NFS Version 3 protocol, the NFS clients must
query the server for the appropriate mode to use. If the NFS
connection uses the NFS Version 2 protocol, then the NFS
client uses the default security mode, which is currently
sys. NFS clients may force the use of a specific security
mode by specifying the sec=mode option on the command line.
However, if the file system on the server is not shared with
that security mode, the client may be denied access.
If the NFS client wants to authenticate the NFS server using
a particular (stronger) security mode, the client wants to
specify the security mode to be used, even if the connection
uses the NFS Version 3 protocol. This guarantees that an
attacker masquerading as the server does not compromise the
client.
The NFS security modes are described below. Of these, the
krb5, krb5i, krb5p modes use the Kerberos V5 protocol for
authenticating and protecting the shared filesystems. Before
these can be used, the system must be configured to be part
of a Kerberos realm. See kerberos(5).
sys Use AUTHSYS authentication. The user's UNIX user-
id and group-ids are passed in the clear on the
network, unauthenticated by the NFS server. This is
the simplest security method and requires no addi-
tional administration. It is the default used by
Solaris NFS Version 2 clients and Solaris NFS
servers.
SunOS 5.11 Last change: 16 Mar 2009 1
Standards, Environments, and Macros nfssec(5)
dh Use a Diffie-Hellman public key system (AUTHDES,
which is referred to as AUTHDH in the forthcoming
Internet RFC).
krb5 Use Kerberos V5 protocol to authenticate users
before granting access to the shared filesystem.
krb5i Use Kerberos V5 authentication with integrity
checking (checksums) to verify that the data has
not been tampered with.
krb5p User Kerberos V5 authentication, integrity check-
sums, and privacy protection (encryption) on the
shared filesystem. This provides the most secure
filesystem sharing, as all traffic is encrypted. It
should be noted that performance might suffer on
some systems when using krb5p, depending on the
computational intensity of the encryption algorithm
and the amount of data being transferred.
none Use null authentication (AUTHNONE). NFS clients
using AUTHNONE have no identity and are mapped to
the anonymous user nobody by NFS servers. A client
using a security mode other than the one with which
a Solaris NFS server shares the file system has its
security mode mapped to AUTHNONE. In this case, if
the file system is shared with sec=none, users from
the client are mapped to the anonymous user. The
NFS security mode none is supported by
sharenfs(1M), but not by mountnfs(1M) or
automount(1M).
FILES
/etc/nfssec.conf NFS security service configuration file
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 16 Mar 2009 2
Standards, Environments, and Macros nfssec(5)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWnfscr
SEE ALSO
automount(1M), kclient(1M), mountnfs(1M), sharenfs(1M),
rpcclntauth(3NSL), securerpc(3NSL), nfssec.conf(4),
attributes(5), kerberos(5)
NOTES
/etc/nfssec.conf lists the NFS security services. Do not
edit this file. It is not intended to be user-configurable.
See kclient(1M).
SunOS 5.11 Last change: 16 Mar 2009 3
|
