Manualshelf

NFS Services Administrator Guide for 11i v3 (5900-2572, September 2012)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
Table 4 Security Modes of the share command
DescriptionSecurity Mode
Uses the default authentication method, AUTH_SYS. The sys mode is a simple authentication
method that uses UID/GID UNIX permissions, and is used by NFS servers and NFS clients using
the version 2, 3, and 4 protocol.
sys
Uses the Diffie-Hellman public-key system and uses the AUTH_DES authentication.dh
Uses Kerberos V5 protocol to authenticate users before granting access to the shared filesystems.krb5
Uses Kerberos V5 authentication with integrity checking to verify that the data is not tampered
with, while in transit between the NFS clients and servers.
krb5i
Uses Kerberos V5 authentication, integrity checking, and privacy protection (encryption) on the
shared filesystems.
krb5p
Uses NULL authentication (AUTH_NONE). NFS clients using AUTH_NONE are mapped to the
anonymous user nobody by NFS.
none
You can combine the different security modes. However, the security mode specified in the host
must be supported by the client. If the modes on the client and server are different, the directory
cannot be accessed.
For example, an NFS server can combine the dh (Diffie-Hellman) and krb5 (Kerberos) security
modes as it supports both the modes. However, if the NFS client does not support krb5, the shared
directory cannot be accessed using krb5 security mode.
Consider the following points before you specify or combine security modes:
The share command uses the AUTH_SYS mode by default, if the sec=mode option is not
specified.
If your network consists of clients with differing security requirements, some using highly
restrictive security modes and some using less secure modes, use multiple security modes with
a single share command.
For example, consider an environment where all clients do not require same level of security.
This environment is usually difficult to secure and requires running various scripts. However,
if you use the share command, you can specify different security mechanisms for each
netgroup within your network.
If one or more explicit sec= options are specified, you must set the sys security mode to
continue to allow access to share directories, using the AUTH_SYS authentication method.
For example, if you are specifying multiple security options, such as Kerberos and
Diffie-Hellman, then specify the sys security option as well to enable users to access the shared
directories using the AUTH_SYS security method.
If ro and rw options are specified in a secclause, the order of the options rule is not enforced.
All hosts are granted read-only access, except those in the read-write list.
Secure NFS Setup with Kerberos
Configuring Secure NFS Server with Kerberos
Set up the NFS server as a Kerberos client before securing the NFS server.
To configure secure NFS server, follow these steps:
1. Set up the host as a Kerberos client. For more information on setting up the NFS server as a
Kerberos client, see Configuration Guide for Kerberos Client Products on HP-UX (5991-7685).
Configuring and Administering an NFS Server 25