NAME
nfssec — overview of NFS security modes
DESCRIPTION
The
mount_nfs(1M)
and
share_nfs(1M)
commands each provide a way to specify the security
mode to be used on an NFS filesystem through the
sec=mode
option.
mode
can be either
sys,
dh,
krb5,
krb5i,
krb5p,
or
none.
These security modes may also be added to the automount maps.
Note that
mount_nfs(1M)
and
automount(1M)
do not support
sec=none
at this time.
The
sec=mode
option on the
share_nfs(1M)
command line establishes the security mode of NFS servers.
If the NFS connection uses the NFS Version 3 protocol, the
NFS clients must query the server for the appropriate
mode
to use.
If the NFS connection uses the NFS Version 2 protocol, then the NFS
client uses the default security mode, which is currently
sys.
NFS clients may force the use of a specific security mode by specifying the
sec=mode
option on the command line.
However, if the filesystem on the server is not shared with
that security mode, the client may be denied access.
If the NFS client wants to authenticate the NFS
server using a particular (stronger) security mode, the client wants
to specify the security mode to be used, even if the connection uses
the NFS Version 3 protocol.
This guarantees that an attacker masquerading as the server does
not compromise the client.
The NFS security modes are described below.
Of these, the
krb5,
krb5i,
krb5p
modes use the Kerberos V5 protocol for authenticating and protecting
the shared filesystems.
Before these can be used, the system must be configured to be part
of a Kerberos realm.
- sys
Use
AUTH_SYS
authentication.
The user's UNIX user-id and
group-ids are passed in the clear on the network, unauthenticated by
the NFS server .
This is the simplest
security method and requires no additional administration.
It is the default used by HP-UX NFS Version 2 clients and HP-UX NFS servers.
- dh
Use a Diffie-Hellman public key system
(AUTH_DES,
which is referred to as
AUTH_DH
in the forthcoming Internet RFC).
- krb5
Use Kerberos V5 protocol to authenticate users before granting access
to the shared filesystem.
- krb5i
Use Kerberos V5 authentication with integrity checking (checksums) to
verify that the data has not been tampered with.
- krb5p
User Kerberos V5 authentication, integrity checksums, and privacy protection
(encryption) on the shared filesystem.
This provides the most secure filesystem sharing, as all traffic is encrypted.
It should be noted that performance might suffer on some systems when using
krb5p,
depending on the computational intensity of the encryption algorithm
and the amount of data being transferred.
- none
Use null authentication
(AUTH_NONE).
NFS clients using
AUTH_NONE
have no identity and are mapped to the anonymous user
nobody
by NFS servers.
A client using a security mode other than the one with
which an HP-UX NFS
server shares the filesystem has its security mode mapped to
AUTH_NONE.
In this case, if the filesystem is shared with
sec=none,
users from the client are mapped to the anonymous user.
WARNINGS
/etc/nfssec.conf
lists the NFS security services.
Do not edit this file.
It is not intended to be user-configurable.
FILES
- /etc/nfs/nfsec.conf
NFS security service configuration file
Printable version
