nfssec.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

nfssec(5) nfssec(5)

NAME

nfssec - overview of NFS security modes

DESCRIPTION

The mount_nfs (1M) and share_nfs (1M) commands each provide a way to specify the security mode to be

used on an NFS ﬁlesystem through the

sec=mode option. mode can be either sys, dh, krb5, krb5i,

krb5p,ornone. These security modes may also be added to the automount maps. Note that

mount_nfs (1M) and automount (1M) do not support

sec=none at this time.

The

sec=mode option on the share_nfs (1M) command line establishes the security mode of NFS servers.

If the NFS connection uses the NFS Version 3 protocol, the NFS clients must query the server for the

appropriate mode to use. If the NFS connection uses the NFS Version 2 protocol, then the NFS client

uses the default security mode, which is currently

sys. NFS clients may force the use of a speciﬁc secu-

rity mode by specifying the

sec=mode option on the command line. However, if the ﬁlesystem on the

server is not shared with that security mode, the client may be denied access.

If the NFS client wants to authenticate the NFS server using a particular (stronger) security mode, the

client wants to specify the security mode to be used, even if the connection uses the NFS Version 3 proto-

col. This guarantees that an attacker masquerading as the server does not compromise the client.

The NFS security modes are described below. Of these, the

krb5, krb5i, krb5p modes use the Ker-

beros V5 protocol for authenticating and protecting the shared ﬁlesystems. Before these can be used, the

system must be conﬁgured to be part of a Kerberos realm.

sys Use AUTH_SYS authentication. The user’s UNIX user-id and group-ids are passed in the clear

on the network, unauthenticated by the NFS server . This is the simplest security method and

requires no additional administration. It is the default used by HP-UX NFS Version 2 clients

and HP-UX NFS servers.

dh Use a Difﬁe-Hellman public key system (AUTH_DES, which is referred to as

AUTH_DH in the

forthcoming Internet RFC).

krb5 Use Kerberos V5 protocol to authenticate users before granting access to the shared ﬁlesystem.

krb5i Use Kerberos V5 authentication with integrity checking (checksums) to verify that the data

has not been tampered with.

krb5p User Kerberos V5 authentication, integrity checksums, and privacy protection (encryption) on

the shared ﬁlesystem. This provides the most secure ﬁlesystem sharing, as all trafﬁc is

encrypted. It should be noted that performance might suffer on some systems when using

krb5p, depending on the computational intensity of the encryption algorithm and the amount

of data being transferred.

none Use null authentication (

AUTH_NONE). NFS clients using AUTH_NONE have no identity and

are mapped to the anonymous user

nobody by NFS servers. A client using a security mode

other than the one with which an HP-UX NFS server shares the ﬁlesystem has its security

mode mapped to AUTH_NONE. In this case, if the ﬁlesystem is shared with sec=none

, users

from the client are mapped to the anonymous user.

WARNINGS

/etc/nfssec.conf lists the NFS security services. Do not edit this ﬁle. It is not intended to be user-

conﬁgurable.

FILES

/etc/nfssec.conf NFS security service conﬁguration ﬁle

Summary of content (2 pages)

PAGE 1
nfssec(5) nfssec(5) NAME nfssec - overview of NFS security modes DESCRIPTION The mount_nfs (1M) and share_nfs (1M) commands each provide a way to specify the security mode to be used on an NFS filesystem through the sec=mode option. mode can be either sys, dh, krb5, krb5i, krb5p, or none. These security modes may also be added to the automount maps. Note that mount_nfs (1M) and automount (1M) do not support sec=none at this time.
PAGE 2
(Notes) A (Notes) nA 2 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010