unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

nfssec(5)             Standards, Environments, and Macros            nfssec(5)



NAME
       nfssec - overview of NFS security modes

DESCRIPTION
       The  mount_nfs(1M)  and  share_nfs(1M)  commands  each provide a way to
       specify the security mode to be used on an NFS file system through  the
       sec=mode  option.  mode  can  be either sys, dh, krb5, krb5i, krb5p, or
       none. These security modes may also be added  to  the  automount  maps.
       Note  that  mount_nfs(1M)  and automount(1M) do not support sec=none at
       this time.

       The sec=mode option on the share_nfs(1M) command line  establishes  the
       security  mode  of NFS servers. If the NFS connection uses the NFS Ver-
       sion 3 protocol, the NFS clients must query the server for  the  appro-
       priate mode to use. If the NFS connection uses the NFS Version 2 proto-
       col, then the NFS client uses the default security mode, which is  cur-
       rently  sys.  NFS clients may force the use of a specific security mode
       by specifying the sec=mode option on the command line. However, if  the
       file  system  on  the server is not shared with that security mode, the
       client may be denied access.

       If the NFS client wants to authenticate the NFS server using a particu-
       lar  (stronger) security mode, the client wants to specify the security
       mode to be used, even if the connection uses the NFS Version  3  proto-
       col.  This  guarantees that an attacker masquerading as the server does
       not compromise the client.

       The NFS security modes are described below. Of these, the krb5,  krb5i,
       krb5p  modes  use  the Kerberos V5 protocol for authenticating and pro-
       tecting the shared filesystems. Before these can be  used,  the  system
       must be configured to be part of a Kerberos realm. See SEAM(5).

       sys      Use  AUTH_SYS  authentication.  The  user's  UNIX  user-id and
                group-ids are passed in the clear on the network,  unauthenti-
                cated  by the NFS server. This is the simplest security method
                and requires no additional administration. It is  the  default
                used by Solaris NFS Version 2 clients and Solaris NFS servers.



       dh       Use  a  Diffie-Hellman  public  key system (AUTH_DES, which is
                referred to as AUTH_DH in the forthcoming Internet RFC).



       krb5     Use Kerberos V5 protocol to authenticate users before granting
                access to the shared filesystem.



       krb5i    Use Kerberos V5 authentication with integrity checking (check-
                sums) to verify that the data has not been tampered with.



       krb5p    User Kerberos V5 authentication, integrity checksums, and pri-
                vacy  protection  (encryption)  on the shared filesystem. This
                provides the most secure filesystem sharing, as all traffic is
                encrypted. It should be noted that performance might suffer on
                some systems when using krb5p, depending on the  computational
                intensity  of  the encryption algorithm and the amount of data
                being transferred.



       none     Use  null  authentication  (AUTH_NONE).  NFS   clients   using
                AUTH_NONE  have  no  identity  and are mapped to the anonymous
                user nobody by NFS servers. A client  using  a  security  mode
                other  than the one with which a Solaris NFS server shares the
                file system has its security mode mapped to AUTH_NONE. In this
                case,  if  the file system is shared with sec=none, users from
                the client are mapped to the anonymous user. The NFS  security
                mode   none   is   supported  by  share_nfs(1M),  but  not  by
                mount_nfs(1M) or automount(1M).



FILES
       /etc/nfssec.conf                NFS security service configuration file



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab() box; cw(2.750000i)| cw(2.750000i)  lw(2.750000i)|  lw(2.750000i).
       ATTRIBUTE TYPEATTRIBUTE VALUE AvailabilitySUNWnfscr


SEE ALSO
       automount(1M),   mount_nfs(1M),   share_nfs(1M),   rpc_clnt_auth(3NSL),
       secure_rpc(3NSL), nfssec.conf(4), attributes(5)

NOTES
       /etc/nfssec.conf lists the NFS security  services.  Do  not  edit  this
       file. It is not intended to be user-configurable.



SunOS 5.10                        10 Jul 2001                        nfssec(5)