1nfssec(5)             Standards, Environments, and Macros            nfssec(5)
2
3
4

NAME

6       nfssec - overview of NFS security modes
7

DESCRIPTION

9       The  mount_nfs(1M)  and  share_nfs(1M)  commands  each provide a way to
10       specify the security mode to be used on an NFS file system through  the
11       sec=mode  option.  mode  can  be  sys, dh, krb5, krb5i, krb5p, or none.
12       These security modes can also be added to the automount maps. Note that
13       mount_nfs(1M)  and  automount(1M) do not support sec=none at this time.
14       mount_nfs(1M)  allows  you  to  specify   a   single   security   mode;
15       share_nfs(1M) allows you to specify multiple modes (or none). With mul‐
16       tiple modes, an NFS client can choose any of the modes in the list.
17
18
19       The sec=mode option on the share_nfs(1M) command line  establishes  the
20       security  mode  of NFS servers. If the NFS connection uses the NFS Ver‐
21       sion 3 protocol, the NFS clients must query the server for  the  appro‐
22       priate mode to use. If the NFS connection uses the NFS Version 2 proto‐
23       col, then the NFS client uses the default security mode, which is  cur‐
24       rently  sys.  NFS clients may force the use of a specific security mode
25       by specifying the sec=mode option on the command line. However, if  the
26       file  system  on  the server is not shared with that security mode, the
27       client may be denied access.
28
29
30       If the NFS client wants to authenticate the NFS server using a particu‐
31       lar  (stronger) security mode, the client wants to specify the security
32       mode to be used, even if the connection uses the NFS Version  3  proto‐
33       col.  This  guarantees that an attacker masquerading as the server does
34       not compromise the client.
35
36
37       The NFS security modes are described below. Of these, the krb5,  krb5i,
38       krb5p  modes  use  the Kerberos V5 protocol for authenticating and pro‐
39       tecting the shared filesystems. Before these can be  used,  the  system
40       must be configured to be part of a Kerberos realm. See kerberos(5).
41
42       sys      Use  AUTH_SYS  authentication.  The  user's  UNIX  user-id and
43                group-ids are passed in the clear on the network,  unauthenti‐
44                cated  by the NFS server. This is the simplest security method
45                and requires no additional administration. It is  the  default
46                used by Solaris NFS Version 2 clients and Solaris NFS servers.
47
48
49       dh       Use  a  Diffie-Hellman  public  key system (AUTH_DES, which is
50                referred to as AUTH_DH in the forthcoming Internet RFC).
51
52
53       krb5     Use Kerberos V5 protocol to authenticate users before granting
54                access to the shared filesystem.
55
56
57       krb5i    Use Kerberos V5 authentication with integrity checking (check‐
58                sums) to verify that the data has not been tampered with.
59
60
61       krb5p    User Kerberos V5 authentication, integrity checksums, and pri‐
62                vacy  protection  (encryption)  on the shared filesystem. This
63                provides the most secure filesystem sharing, as all traffic is
64                encrypted. It should be noted that performance might suffer on
65                some systems when using krb5p, depending on the  computational
66                intensity  of  the encryption algorithm and the amount of data
67                being transferred.
68
69
70       none     Use  null  authentication  (AUTH_NONE).  NFS   clients   using
71                AUTH_NONE  have  no  identity  and are mapped to the anonymous
72                user nobody by NFS servers. A client  using  a  security  mode
73                other  than the one with which a Solaris NFS server shares the
74                file system has its security mode mapped to AUTH_NONE. In this
75                case,  if  the file system is shared with sec=none, users from
76                the client are mapped to the anonymous user. The NFS  security
77                mode   none   is   supported  by  share_nfs(1M),  but  not  by
78                mount_nfs(1M) or automount(1M).
79
80

FILES

82       /etc/nfssec.conf    NFS security service configuration file
83
84

ATTRIBUTES

86       See attributes(5) for descriptions of the following attributes:
87
88
89
90
91       ┌───────────────────────────────────────────────────────────┐
92       │ATTRIBUTE TYPE                ATTRIBUTE VALUE              │
93       │Availability                  SUNWnfscr                    │
94       └───────────────────────────────────────────────────────────┘
95

SEE ALSO

97       automount(1M),     kclient(1M),      mount_nfs(1M),      share_nfs(1M),
98       rpc_clnt_auth(3NSL),  secure_rpc(3NSL),  nfssec.conf(4), attributes(5),
99       kerberos(5)
100

NOTES

102       /etc/nfssec.conf lists the NFS security  services.  Do  not  edit  this
103       file. It is not intended to be user-configurable. See kclient(1M).
104
105
106
107SunOS 5.11                        16 Mar 2009                        nfssec(5)
Impressum