Manualshelf

NFS Services Administrator's Guide (B.11.31.03) August 2008

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
31323334353637383940
Table 2-3 Security Modes of the share command (continued)
DescriptionSecurity Mode
Uses Kerberos V5 authentication with integrity checking to verify that the data is not
tampered with, while in transit between the NFS clients and servers.
krb5i
Uses Kerberos V5 authentication, integrity checking, and privacy protection
(encryption) on the shared filesystems.
krb5p
Uses NULL authentication (AUTH_NONE). NFS clients using AUTH_NONE are
mapped to the anonymous user nobody by NFS.
none
You can combine the different security modes. However, the security mode specified
in the host must be supported by the client. If the modes on the client and server are
different, the directory cannot be accessed.
For example, an NFS server can combine the dh (Diffie-Hellman) and krb5 (Kerberos)
security modes as it supports both the modes. However, if the NFS client does not
support krb5, the shared directory cannot be accessed using krb5 security mode.
Consider the following points before you specify or combine security modes:
The share command uses the AUTH_SYS mode by default, if the sec=mode
option is not specified.
If your network consists of clients with differing security requirements, some using
highly restrictive security modes and some using less secure modes, use multiple
security modes with a single share command.
For example, consider an environment where all clients do not require same level
of security. This environment is usually difficult to secure and requires running
various scripts. However, if you use the share command, you can specify different
security mechanisms for each netgroup within your network.
If one or more explicit sec= options are specified, you must set the sys security
mode to continue to allow access to share directories, using the AUTH_SYS
authentication method.
For example, if you are specifying multiple security options, such as Kerberos and
Diffie-Hellman, then specify the sys security option as well to enable users to
access the shared directories using the AUTH_SYS security method.
If ro and rw options are specified in a secclause, the order of the options rule is
not enforced. All hosts are granted read-only access, except those in the read-write
list.
Secure NFS Setup with Kerberos
This section describes how to configure your secure NFS using Kerberos.
Configuring Secure NFS Server with Kerberos
You need to set up the NFS server as a Kerberos client before securing the NFS server.
36 Configuring and Administering NFS Services