'\" te .\" Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. .TH nfssec 5 "28 Nov 2011" "SunOS 5.11" "Standards, Environments, and Macros" .SH NAME nfssec \- overview of NFS security modes .SH DESCRIPTION .sp .LP The \fBmount_nfs\fR(1M) and \fBshare_nfs\fR(1M) commands each provide a way to specify the security mode to be used on an \fBNFS\fR file system through the \fBsec=\fR\fImode\fR option. \fImode\fR can be \fBsys\fR, \fBdh\fR, \fBkrb5\fR, \fBkrb5i\fR, \fBkrb5p\fR, or \fBnone\fR. These security modes can also be added to the automount maps. \fBmount_nfs\fR(1M) allows you to specify a single security mode; \fBshare_nfs\fR(1M) allows you to specify multiple modes (or \fBnone\fR). With multiple modes, an NFS client can choose any of the modes in the list. .sp .LP The \fBsec=\fR\fImode\fR option on the \fBshare_nfs\fR(1M) command line establishes the security mode of \fBNFS\fR servers. If the \fBNFS\fR connection uses the \fBNFS\fR Version 3 protocol, the \fBNFS\fR clients must query the server for the appropriate \fImode\fR to use. If the \fBNFS\fR connection uses the \fBNFS\fR Version 2 protocol, then the \fBNFS\fR client uses the default security mode, which is currently \fBsys\fR. \fBNFS\fR clients may force the use of a specific security mode by specifying the \fBsec=\fR\fImode\fR option on the command line. However, if the file system on the server is not shared with that security mode, the client may be denied access. .sp .LP If the \fBNFS\fR client wants to authenticate the \fBNFS\fR server using a particular (stronger) security mode, the client wants to specify the security mode to be used, even if the connection uses the \fBNFS\fR Version 3 protocol. This guarantees that an attacker masquerading as the server does not compromise the client. .sp .LP The \fBNFS\fR security modes are described below. Of these, the \fBkrb5\fR, \fBkrb5i\fR, \fBkrb5p\fR modes use the Kerberos V5 protocol for authenticating and protecting the shared filesystems. Before these can be used, the system must be configured to be part of a Kerberos realm. See \fBkerberos\fR(5). .sp .ne 2 .mk .na \fB\fBsys\fR\fR .ad .RS 26n .rt Use \fBAUTH_SYS\fR authentication. The user's UNIX user-id and group-ids are passed in the clear on the network, unauthenticated by the \fBNFS\fR server. This is the simplest security method and requires no additional administration. It is the default used by Solaris \fBNFS\fR Version 2 clients and Solaris \fBNFS\fR servers. .RE .sp .ne 2 .mk .na \fB\fBdh\fR\fR .ad .RS 26n .rt Use a Diffie-Hellman public key system (\fBAUTH_DES\fR, which is referred to as \fBAUTH_DH\fR in \fIRFC 2695: Authentication Mechanisms for ONC RPC\fR. .RE .sp .ne 2 .mk .na \fB\fBkrb5\fR\fR .ad .RS 26n .rt Use Kerberos V5 protocol to authenticate users before granting access to the shared filesystem. .RE .sp .ne 2 .mk .na \fB\fBkrb5i\fR\fR .ad .RS 26n .rt Use Kerberos V5 authentication with integrity checking (checksums) to verify that the data has not been tampered with. .RE .sp .ne 2 .mk .na \fB\fBkrb5p\fR\fR .ad .RS 26n .rt User Kerberos V5 authentication, integrity checksums, and privacy protection (encryption) on the shared filesystem. This provides the most secure filesystem sharing, as all traffic is encrypted. It should be noted that performance might suffer on some systems when using \fBkrb5p\fR, depending on the computational intensity of the encryption algorithm and the amount of data being transferred. .RE .sp .ne 2 .mk .na \fB\fBnone\fR\fR .ad .RS 26n .rt Use null authentication (\fBAUTH_NONE\fR). \fBNFS\fR clients using \fBAUTH_NONE\fR have no identity and are mapped to the anonymous user \fBnobody\fR by \fBNFS\fR servers. A client using a security mode other than the one with which a Solaris \fBNFS\fR server shares the file system has its security mode mapped to \fBAUTH_NONE.\fR In this case, if the file system is shared with \fBsec=\fR\fInone,\fR users from the client are mapped to the anonymous user. The \fBNFS\fR security mode \fBnone\fR is supported by \fBshare_nfs\fR(1M). .RE .sp .ne 2 .mk .na \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR .ad .RS 26n .rt Sharing uses one or more of the specified security modes. The \fImode\fR in the \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the \fBsec=\fR option is not specified, the default security mode used is \fBAUTH_SYS\fR. Multiple \fBsec=\fR options can be specified on the command line, although each mode can appear only once. .sp Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=, rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context, so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options can be supplied for additional modes. .RE .sp .LP The NFSv4 server constructs a shared file system name space which is identical to the real file system name space on the server, including directories which are not actually shared, if they lead to shared directories. The constructed parts of the name space are known as the \fBpseudo-fs\fR. The \fBpseudo-fs\fR is always read-only. .sp .LP As with NFSv3, the security mode of the shared directory is controlled using the \fBsec=\fR\fImode\fR option of \fBshare_nfs\fR(1M). However, the security mode of \fBpseudo-fs\fR objects is the union of the various security modes of the shared directories below. .sp .LP When an NFSv4 client performs a mount, the client traverses the server's name space, from the root, down to the directory being mounted. Using the features of the NFSv4 protocol, the client may negotiate the security flavor of the directories as it proceeds down. If no \fBsec=\fR\fImode\fR option is given to \fBmount_nfs\fR or an automounter map entry, then the client will do full negotiation for each directory down to the mount point, changing security flavors as needed. If \fBsec=\fR\fImode\fR option is given, the client is constrained to use the requested security mode for all operations. .SH EXAMPLES .LP \fBExample 1 \fRSharing \fB/var\fR with Kerberos Authentication and Integrity Protection .sp .LP The following example shares \fB/var\fR with Kerberos authentication and integrity protection: .sp .in +2 .nf share -F nfs -o sec=krb5i /var .fi .in -2 .sp .LP \fBExample 2 \fRSharing \fB/var\fR with Kerberos Authentication and Privacy Protection .sp .LP The following example shares\fB/var\fR with Kerberos authentication and privacy protection: .sp .in +2 .nf share -F nfs -o sec=krb5p /var .fi .in -2 .sp .LP \fBExample 3 \fRSharing \fB/var\fR with Kerberos Authentication and Optionally Falling Back to \fBAUTH_SYS\fR Authentication .sp .LP The following example shares \fB/var\fR with Kerberos authentication and optionally falls back to \fBAUTH_SYS\fR authentication: .sp .in +2 .nf share -F nfs -o sec=krb5:sys /var .fi .in -2 .sp .LP \fBExample 4 \fRSharing \fB/var\fR with Kerberos Authentication Allowing read/write Operations for Kerberos Authenticated Users and Optionally Falling Back to \fBAUTH_SYS\fR Authentication Allowing only Read Operations .sp .LP The following example shares \fB/var\fR with Kerberos authentication allowing read/write operations for Kerberos authenticated users and optionally falls back to \fBAUTH_SYS\fR authentication allowing only read operations: .sp .in +2 .nf share -F nfs -o sec=krb5,rw,sec=sys,ro /var .fi .in -2 .sp .SH FILES .sp .ne 2 .mk .na \fB\fB/etc/nfssec.conf\fR\fR .ad .RS 20n .rt \fBNFS\fR security service configuration file .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE Availabilitysystem/file-system/nfs .TE .SH SEE ALSO .sp .LP \fBautomount\fR(1M), \fBkclient\fR(1M), \fBmount_nfs\fR(1M), \fBshare_nfs\fR(1M), \fBrpc_clnt_auth\fR(3NSL), \fBsecure_rpc\fR(3NSL), \fBnfssec.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5) .sp .LP \fIRFC 2695: Authentication Mechanisms for ONC RPC\fR .SH NOTES .sp .LP \fB/etc/nfssec.conf\fR lists the \fBNFS\fR security services. Do not edit this file. It is not intended to be user-configurable. See \fBkclient\fR(1M).