nfssec - overview of NFS security modes


     The mount_nfs(1M) and share_nfs(1M) commands each provide  a
     way  to  specify the security mode to be used on an NFS file
     system through the sec=mode option. mode can be either  sys,
     dh,  krb5,  krb5i,  krb5p, or none. These security modes may
     also be added to the automount maps. Note that mount_nfs(1M)
     and automount(1M) do not support sec=none at this time.

     The sec=mode option on the share_nfs(1M) command line estab-
     lishes  the security mode of NFS servers. If the NFS connec-
     tion uses the NFS Version 3 protocol, the NFS  clients  must
     query the server for the appropriate mode to use. If the NFS
     connection uses the NFS Version 2  protocol,  then  the  NFS
     client   will  use  the  default  security  mode,  which  is
     currently sys. NFS clients may force the use of  a  specific
     security  mode by specifying the sec=mode option on the com-
     mand line. However, if the file system on the server is  not
     shared  with  that  security  mode, the client may be denied

     If the NFS client wants to authenticate the NFS server using
     a  particular (stronger) security mode, the client will want
     to specify the security mode to be used, even if the connec-
     tion  uses  the NFS Version 3 protocol. This guarantees that
     an attacker masquerading as the server does  not  compromise
     the client.

     The NFS security modes are described below.  Of  these,  the
     krb5,  krb5i,  krb5p  modes use the Kerberos V5 protocol for
     authenticating and protecting the shared filesystems. Before
     these  can be used, the system must be configured to be part
     of a Kerberos realm (see SEAM(5).

     sys   Use AUTH_SYS authentication. The user's  UNIX  user-id
           and  group-ids are passed in the clear on the network,
           unauthenticated by the NFS server. This  is  the  sim-
           plest  security  method  and  requires  no  additional
           administration. It is the default used by Solaris  NFS
           Version 2 clients and Solaris NFS servers.

     dh    Use a Diffie-Hellman public  key  system  (  AUTH_DES,
           which  is  referred  to  as AUTH_DH in the forthcoming
           Internet RFC).

     krb5  Use Kerberos V5 protocol to authenticate users  before
           granting access to the shared filesystem.

     krb5i Use Kerberos V5 authentication with integrity checking
           (checksums)  to  verify  that  the  data  has not been
           tampered with.

     krb5p User Kerberos V5 authentication, integrity  checksums,
           and  privacy  protection  (encryption)  on  the shared
           filesystem. This provides the most  secure  filesystem
           sharing,  as  all  traffic  is encrypted. It should be
           noted that performance might suffer  on  some  systems
           when  using  krb5p,  depending  on  the  computational
           intensity of the encryption algorithm and  the  amount
           of data being transferred.

     none  Use null  authentication  (  AUTH_NONE).  NFS  clients
           using AUTH_NONE have no identity and are mapped to the
           anonymous user nobody by NFS servers. A client using a
           security  mode other than the one with which a Solaris
           NFS server shares the file system will have its  secu-
           rity  mode  mapped  to AUTH_NONE. In this case, if the
           file system is shared with sec=none,  users  from  the
           client  will  be mapped to the anonymous user. The NFS
           security mode none is supported by share_nfs(1M),  but
           not by mount_nfs(1M) or automount(1M).


           NFS security service configuration file.


     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWnfscr                   |


     automount(1M),         mount_nfs(1M),         share_nfs(1M),
     rpc_clnt_auth(3NSL), secure_rpc(3NSL), attributes(5)


     /etc/nfssec.conf lists the NFS  security  services.  Do  not
     edit this file. It is not intended to be user-configurable.

Man(1) output converted with man2html