nfssec man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]

NFSSEC(5)							     NFSSEC(5)

       nfssec - overview of NFS security modes

       The  mount_nfs(1M)  and	share_nfs(1M)  commands	 each provide a way to
       specify the security mode to be used on an NFS file system through  the
       sec=mode	 option.  mode	can  be	 sys, dh, krb5, krb5i, krb5p, or none.
       These security modes can also be added to the automount maps. Note that
       mount_nfs(1M)  and  automount(1M) do not support sec=none at this time.
       mount_nfs(1M)  allows  you  to  specify	 a   single   security	 mode;
       share_nfs(1M) allows you to specify multiple modes (or none). With mul‐
       tiple modes, an NFS client can choose any of the modes in the list.

       The sec=mode option on the share_nfs(1M) command line  establishes  the
       security	 mode  of NFS servers. If the NFS connection uses the NFS Ver‐
       sion 3 protocol, the NFS clients must query the server for  the	appro‐
       priate mode to use. If the NFS connection uses the NFS Version 2 proto‐
       col, then the NFS client uses the default security mode, which is  cur‐
       rently  sys.  NFS clients may force the use of a specific security mode
       by specifying the sec=mode option on the command line. However, if  the
       file  system  on	 the server is not shared with that security mode, the
       client may be denied access.

       If the NFS client wants to authenticate the NFS server using a particu‐
       lar  (stronger) security mode, the client wants to specify the security
       mode to be used, even if the connection uses the NFS Version  3	proto‐
       col.   This guarantees that an attacker masquerading as the server does
       not compromise the client.

       The NFS security modes are described below. Of these, the krb5,	krb5i,
       krb5p  modes  use  the Kerberos V5 protocol for authenticating and pro‐
       tecting the shared filesystems. Before these can be  used,  the	system
       must be configured to be part of a Kerberos realm. See kerberos(5).

		Use  AUTH_SYS  authentication.	The  user's  UNIX  user-id and
		group-ids are passed in the clear on the network,  unauthenti‐
		cated by the NFS server.  This is the simplest security method
		and requires no additional administration.  It is the  default
		used by Solaris NFS Version 2 clients and Solaris NFS servers.

		Use  a	Diffie-Hellman	public	key system (AUTH_DES, which is
		referred to as AUTH_DH in the forthcoming Internet RFC).

		Use Kerberos V5 protocol to authenticate users before granting
		access to the shared filesystem.

		Use Kerberos V5 authentication with integrity checking (check‐
		sums) to verify that the data has not been tampered with.

		User Kerberos V5 authentication, integrity checksums, and pri‐
		vacy  protection  (encryption)	on the shared filesystem. This
		provides the most secure filesystem sharing, as all traffic is
		encrypted. It should be noted that performance might suffer on
		some systems when using krb5p, depending on the	 computational
		intensity  of  the encryption algorithm and the amount of data
		being transferred.

		Use  null  authentication  (AUTH_NONE).	 NFS   clients	 using
		AUTH_NONE  have	 no  identity  and are mapped to the anonymous
		user nobody by NFS servers. A client  using  a	security  mode
		other  than the one with which a Solaris NFS server shares the
		file system has its security mode mapped to AUTH_NONE. In this
		case,  if  the file system is shared with sec=none, users from
		the client are mapped to the anonymous user. The NFS  security
		mode   none   is   supported  by  share_nfs(1M),  but  not  by
		mount_nfs(1M) or automount(1M).

			   NFS security service configuration file

       automount(1M),	  kclient(1M),	    mount_nfs(1M),	share_nfs(1M),
       rpc_clnt_auth(3NSL),  secure_rpc(3NSL),	nfssec.conf(4), attributes(5),

       /etc/nfssec.conf lists the NFS security	services.  Do  not  edit  this
       file. It is not intended to be user-configurable. See kclient(1M).

				 Mar 16, 2009			     NFSSEC(5)

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net