Standards, Environments, and Macros nfssec(5)
NAME
nfssec - overview of NFS security modes
DESCRIPTION
The mount_nfs(1M) and share_nfs(1M) commands each provide a
way to specify the security mode to be used on an NFS file system through the sec=mode option. mode can be sys, dh, krb5, krb5i, krb5p, or none. These security modes can alsobe added to the automount maps. Note that mount_nfs(1M) and
automount(1M) do not support sec=none at this time.mount_nfs(1M) allows you to specify a single security mode;
share_nfs(1M) allows you to specify multiple modes (or
none). With multiple modes, an NFS client can choose any of the modes in the list.The sec=mode option on the share_nfs(1M) command line estab-
lishes the security mode ofNFS servers. If the NFS connec-
tion uses the NFS Version 3 protocol, the NFS clients must query the server for the appropriate mode to use. If the NFS connection uses the NFS Version 2 protocol, then the NFS client uses the default security mode, which is currently sys. NFS clients may force the use of a specific security mode by specifying the sec=mode option on the command line. However, if the file system on the server is not shared with that security mode, the client may be denied access. If the NFS client wants to authenticate the NFS server using a particular (stronger) security mode, the client wants to specify the security mode to be used, even if the connection uses the NFS Version 3 protocol. This guarantees that an attacker masquerading as the server does not compromise the client. The NFS security modes are described below. Of these, the krb5, krb5i, krb5p modes use the Kerberos V5 protocol for authenticating and protecting the shared filesystems. Before these can be used, the system must be configured to be part of a Kerberos realm. See kerberos(5).sys Use AUTH_SYS authentication. The
user's UNIX user-id and group-ids
are passed in the clear on the network, unauthenticated by the NFS server. This is the simplest security method and requires no additional administration. It is the default used by Solaris NFS Version 2 clients and Solaris NFS servers.SunOS 5.11 Last change: 18 Feb 2010 1
Standards, Environments, and Macros nfssec(5)
dh Use a Diffie-Hellman public key
system (AUTH_DES, which is
referred to as AUTH_DH in RFC
2695: Authentication Mechanisms for ONC RPC. krb5 Use Kerberos V5 protocol to authenticate users before granting access to the shared filesystem. krb5i Use Kerberos V5 authenticationwith integrity checking (check-
sums) to verify that the data has not been tampered with. krb5p User Kerberos V5 authentication, integrity checksums, and privacy protection (encryption) on the shared filesystem. This providesthe most secure filesystem shar-
ing, as all traffic is encrypted.It should be noted that perfor-
mance might suffer on some systems when using krb5p, depending on the computational intensity of the encryption algorithm and the amount of data being transferred. none Use null authentication(AUTH_NONE). NFS clients using
AUTH_NONE have no identity and are
mapped to the anonymous user nobody by NFS servers. A client using a security mode other than the one with which a Solaris NFS server shares the file system has its security mode mapped toAUTH_NONE. In this case, if the
file system is shared with sec=none, users from the client are mapped to the anonymous user.The NFS security mode none is sup-
ported by share_nfs(1M), but not
by mount_nfs(1M) or automount(1M).
sec=mode[:mode]... Sharing uses one or more of the specified security modes. The modeSunOS 5.11 Last change: 18 Feb 2010 2
Standards, Environments, and Macros nfssec(5)
in the sec=mode option must be a node name supported on the client.If the sec= option is not speci-
fied, the default security modeused is AUTH_SYS. Multiple sec=
options can be specified on the command line, although each mode can appear only once. Each sec= option specifies modesthat apply to any subsequent win-
dow=, rw, ro, rw=, ro= and root= options that are provided beforeanother sec=option. Each addi-
tional sec= resets the securitymode context, so that more win-
dow=, rw, ro, rw=, ro= and root=options can be supplied for addi-
tional modes.EXAMPLES
Example 1 Sharing /var with Kerberos Authentication and Integrity ProtectionThe following example shares /var with Kerberos authentica-
tion and integrity protection:share -F nfs -o sec=krb5i /var
Example 2 Sharing /var with Kerberos Authentication and Privacy ProtectionThe following example shares/var with Kerberos authentica-
tion and privacy protection:share -F nfs -o sec=krb5p /var
Example 3 Sharing /var with Kerberos Authentication andOptionally Falling Back to AUTH_SYS Authentication
The following example shares /var with Kerberos authentica-
tion and optionally falls back to AUTH_SYS authentication:
SunOS 5.11 Last change: 18 Feb 2010 3
Standards, Environments, and Macros nfssec(5)
share -F nfs -o sec=krb5:sys /var
Example 4 Sharing /var with Kerberos Authentication Allowing read/write Operations for Kerberos Authenticated Users andOptionally Falling Back to AUTH_SYS Authentication Allowing
only Read OperationsThe following example shares /var with Kerberos authentica-
tion allowing read/write operations for Kerberos authenti-
cated users and optionally falls back to AUTH_SYS authenti-
cation allowing only read operations:share -F nfs -o sec=krb5,rw,sec=sys,ro /var
FILES/etc/nfssec.conf NFS security service configuration file
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE ATTRIBUTE VALUE |
| Availability system/file-system/nfs |
|___________________________________________________________|
SEE ALSO
automount(1M), kclient(1M), mount_nfs(1M), share_nfs(1M),
rpc_clnt_auth(3NSL), secure_rpc(3NSL), nfssec.conf(4),
attributes(5), kerberos(5) RFC 2695: Authentication Mechanisms for ONC RPC NOTES/etc/nfssec.conf lists the NFS security services. Do not
edit this file. It is not intended to be user-configurable.
See kclient(1M).SunOS 5.11 Last change: 18 Feb 2010 4