nfssec(5) Standards, Environments, and Macros nfssec(5)NAMEnfssec - overview of NFS security modes
DESCRIPTION
The mount_nfs(1M) and share_nfs(1M) commands each provide a way to
specify the security mode to be used on an NFS file system through the
sec=mode option. mode can be sys, dh, krb5, krb5i, krb5p, or none.
These security modes can also be added to the automount maps. Note that
mount_nfs(1M) and automount(1M) do not support sec=none at this time.
mount_nfs(1M) allows you to specify a single security mode;
share_nfs(1M) allows you to specify multiple modes (or none). With mul‐
tiple modes, an NFS client can choose any of the modes in the list.
The sec=mode option on the share_nfs(1M) command line establishes the
security mode ofNFS servers. If the NFS connection uses the NFS Version
3 protocol, the NFS clients must query the server for the appropriate
mode to use. If the NFS connection uses the NFS Version 2 protocol,
then the NFS client uses the default security mode, which is currently
sys. NFS clients may force the use of a specific security mode by spec‐
ifying the sec=mode option on the command line. However, if the file
system on the server is not shared with that security mode, the client
may be denied access.
If the NFS client wants to authenticate the NFS server using a particu‐
lar (stronger) security mode, the client wants to specify the security
mode to be used, even if the connection uses the NFS Version 3 proto‐
col. This guarantees that an attacker masquerading as the server does
not compromise the client.
The NFS security modes are described below. Of these, the krb5, krb5i,
krb5p modes use the Kerberos V5 protocol for authenticating and pro‐
tecting the shared filesystems. Before these can be used, the system
must be configured to be part of a Kerberos realm. See kerberos(5).
sys Use AUTH_SYS authentication. The user's UNIX
user-id and group-ids are passed in the clear
on the network, unauthenticated by the NFS
server. This is the simplest security method
and requires no additional administration. It
is the default used by Solaris NFS Version 2
clients and Solaris NFS servers.
dh Use a Diffie-Hellman public key system
(AUTH_DES, which is referred to as AUTH_DH in
RFC 2695: Authentication Mechanisms for ONC
RPC.
krb5 Use Kerberos V5 protocol to authenticate
users before granting access to the shared
filesystem.
krb5i Use Kerberos V5 authentication with integrity
checking (checksums) to verify that the data
has not been tampered with.
krb5p User Kerberos V5 authentication, integrity
checksums, and privacy protection (encryp‐
tion) on the shared filesystem. This provides
the most secure filesystem sharing, as all
traffic is encrypted. It should be noted that
performance might suffer on some systems when
using krb5p, depending on the computational
intensity of the encryption algorithm and the
amount of data being transferred.
none Use null authentication (AUTH_NONE). NFS
clients using AUTH_NONE have no identity and
are mapped to the anonymous user nobody by
NFS servers. A client using a security mode
other than the one with which a Solaris NFS
server shares the file system has its secu‐
rity mode mapped to AUTH_NONE. In this case,
if the file system is shared with sec=none,
users from the client are mapped to the
anonymous user. The NFS security mode none is
supported by share_nfs(1M), but not by
mount_nfs(1M) or automount(1M).
sec=mode[:mode]... Sharing uses one or more of the specified
security modes. The mode in the sec=mode
option must be a node name supported on the
client. If the sec= option is not specified,
the default security mode used is AUTH_SYS.
Multiple sec= options can be specified on the
command line, although each mode can appear
only once.
Each sec= option specifies modes that apply
to any subsequent window=, rw, ro, rw=, ro=
and root= options that are provided before
another sec=option. Each additional sec=
resets the security mode context, so that
more window=, rw, ro, rw=, ro= and root=
options can be supplied for additional modes.
EXAMPLES
Example 1 Sharing /var with Kerberos Authentication and Integrity Pro‐
tection
The following example shares /var with Kerberos authentication and
integrity protection:
share -F nfs -o sec=krb5i /var
Example 2 Sharing /var with Kerberos Authentication and Privacy Protec‐
tion
The following example shares/var with Kerberos authentication and pri‐
vacy protection:
share -F nfs -o sec=krb5p /var
Example 3 Sharing /var with Kerberos Authentication and Optionally
Falling Back to AUTH_SYS Authentication
The following example shares /var with Kerberos authentication and
optionally falls back to AUTH_SYS authentication:
share -F nfs -o sec=krb5:sys /var
Example 4 Sharing /var with Kerberos Authentication Allowing read/write
Operations for Kerberos Authenticated Users and Optionally Falling Back
to AUTH_SYS Authentication Allowing only Read Operations
The following example shares /var with Kerberos authentication allowing
read/write operations for Kerberos authenticated users and optionally
falls back to AUTH_SYS authentication allowing only read operations:
share -F nfs -o sec=krb5,rw,sec=sys,ro /var
FILES
/etc/nfssec.conf NFS security service configuration file
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌───────────────────────────────────────────────────────────┐
│ATTRIBUTE TYPE ATTRIBUTE VALUE │
│Availability system/file-system/nfs │
└───────────────────────────────────────────────────────────┘
SEE ALSOautomount(1M), kclient(1M), mount_nfs(1M), share_nfs(1M),
rpc_clnt_auth(3NSL), secure_rpc(3NSL), nfssec.conf(4), attributes(5),
kerberos(5)
RFC 2695: Authentication Mechanisms for ONC RPC
NOTES
/etc/nfssec.conf lists the NFS security services. Do not edit this
file. It is not intended to be user-configurable. See kclient(1M).
SunOS 5.10 18 Feb 2010 nfssec(5)