Secure NFS on HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software

Dave Olker

dave.olker@hp.com

Virtualization, Security, Storage & Networking Lab

Table of Figures ................................................................................................................................... 2

Table of Tables .................................................................................................................................... 2

Secure NFS Test Environment used in this Paper ...................................................................................... 2

I. Introduction ................................................................................................................................. 3

II. Install and Configure the Kerberos Server ........................................................................................ 4

A. Download and Install the Kerberos Server Software ..................................................................... 4

B. Configure the Kerberos Server ................................................................................................... 4

III. Add Required Kerberos Credentials to the Realm ............................................................................ 7

A. Create Credentials for NFS Services ........................................................................................... 7

B. Create Credentials for Users ...................................................................................................... 7

C. Create Credentials for the Serviceguard NFS Toolkit (Optional) ..................................................... 8

IV. Prepare NFS Clients and Servers to use Kerberos ........................................................................... 9

A. Update ONCplus Software ....................................................................................................... 9

B. Configure the Kerberos Client .................................................................................................... 9

C. Activate Kerberos Entries in the /etc/nfssec.conf File ........................................................... 9

D. Initialize the gsscred(1M) Database .......................................................................................... 10

E. Configure the gssd(1M) Daemon ............................................................................................. 10

F. Synchronize Clocks with the Kerberos Server (Optional) ............................................................. 11

G. Test the Kerberos Credentials ................................................................................................... 11

V. Configure the Secure NFS Server ................................................................................................. 12

A. Extract “nfs” Principals and Store them in the Server’s Keytab File ................................................ 12

B. Configure Shared Filesystems with Desired Security Modes ......................................................... 13

VI. Configure the Secure NFS Client ................................................................................................. 15

A. Manual mount_nfs(1M) Command Syntax ................................................................................. 15

B. Configuring Secure NFS filesystems via /etc/fstab ................................................................ 16

C. Configuring Secure NFS filesystems via AutoFS ......................................................................... 16

VII. Using Secure NFS with Serviceguard (Optional) ........................................................................... 17

For More Information ......................................................................................................................... 19

Summary of content (19 pages)

PAGE 1
Secure NFS on HP-UX 11i v3 Dave Olker dave.olker@hp.com Virtualization, Security, Storage & Networking Lab Table of Figures ................................................................................................................................... 2 Table of Tables .................................................................................................................................... 2 Secure NFS Test Environment used in this Paper .......................................................
PAGE 2
Table of Figures Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure 1 Initial krbsetup(1m) Screen......................................................................................... 4 2 Select type of backend data store ............................................................................... 5 3 Complete the Kerberos Server Configuration ................................................................ 5 4 /etc/krb5.
PAGE 3
I. Introduction Network File System (NFS) has long been an industry standard method of sharing filesystem data on a network. The proliferation of NFS to all major operating systems and computer architectures as well as its recent standardization by the IETF make NFS a very popular solution for distributing filesystem information. However, one of the biggest concerns about using NFS in today’s security conscious environments is the perceived lack of robust security features.
PAGE 4
II. Install and Configure the Kerberos Server Before NFS client and server systems can use Kerberos authentication or other enhanced security features like data check summing or data encryption, a Kerberos realm must be established and the NFS systems must be configured as Kerberos clients. While this paper is not intended as an exhaustive guide to setting up and configuring Kerberos, the basic configuration steps involved with creating a Kerberos realm using HP-UX systems will be provided.
PAGE 5
Figure 2 Select type of backend data store Figure 3 shows the remaining steps involved in creating the initial server configuration.
PAGE 6
Figure 3 shows this system will be a Primary Kerberos server, it will use DES-MD5 encryption, the principal database key will be stored on the local disk, we are not configuring a secondary server at this time, the Kerberos realm name will be ATC.VSSN.HP, log messages will be written to the /var/adm/syslog/syslog.log file, and the database Master password was entered twice.
PAGE 7
III. Add Required Kerberos Credentials to the Realm This step involves populating the Kerberos server with the credentials required by NFS as well as any users who will use the Secure NFS services. From a Kerberos perspective, NFS is considered a service. It is therefore necessary to create Kerberos service principals for each NFS server. A copy of these service principals will need to be stored in each server’s local keytab file.
PAGE 8
Figure 6 Adding User Credentials via kadminl(1M) C. Create Credentials for the Serviceguard NFS Toolkit (Optional) If your environment uses the Serviceguard NFS Toolkit to create Highly Available NFS packages, you need to create NFS service credentials for any hostnames that map to the virtual IP addresses used by these packages. In my test environment the hostname “nfs-pkg1.rose.hp.com” maps to the virtual IP address used by my NFS package. Figure 7 shows this NFS credential being added to the database.
PAGE 9
IV. Prepare NFS Clients and Servers to use Kerberos This section describes the steps needed to configure your HP-UX 11i v3 NFS client and server systems to use Kerberos authentication and other enhanced security features. A. Update ONCplus Software ONCplus version B.11.31.05 contains a critical fix needed to use Kerberos authentication with the Serviceguard NFS Toolkit product (i.e. Highly Available NFS Servers). It is highly recommended to install ONCplus version B.11.31.
PAGE 10
D. Initialize the gsscred(1M) Database The gsscred(1M) utility is used to create and maintain a mapping between a Generic Security Service Application Program Interface (GSS-API) security principal name – in this case the Kerberos credential – and their matching local UNIX user id or group id. RPC-based services such as NFS need to be able to map between Kerberos credentials and local UNIX user names and group names in order to enforce permissions-based security, such as filesystem access rights.
PAGE 11
F. Synchronize Clocks with the Kerberos Server (Optional) While not a required step, HP strongly recommends all NFS client and server systems’ clocks be synchronized not only with each other, but also with the system clock of any Kerberos servers. Kerberos authentication relies heavily on accurate timestamps and will often reject credentials if the system times are not kept to within 5 minutes of each other.
PAGE 12
V. Configure the Secure NFS Server Once the NFS clients and servers are able to successfully retrieve credentials from the Kerberos server, there are a few remaining steps to configuring a Secure NFS server. Those steps include extracting a copy of the “nfs” service principals from the Kerberos server and storing them in the NFS server’s local keytab file and configuring the shared filesystems to use the desired type of Kerberos security. A.
PAGE 13
Each NFS server’s keytab file needs to contain a copy of that server’s NFS credential as well as any NFS credentials associated with Serviceguard NFS Toolkit packages that could potentially run on the server. The example in Figure 14 shows the /etc/krb5.keytab file on my test server “atcux12.rose.hp.com” would contains the following keys: nfs/atcux12.rose.hp.com@ATC.VSSN.HP nfs/nfs-pkg1.rose.hp.com@ATC.VSSN.
PAGE 14
The most common share security modes for Secure NFS are: • • • krb5 krb5i krb5p Kerberos v5 Authentication Kerberos v5 Authentication + Data Checksums Kerberos v5 Authentication + Data Checksums + Data Encryption Each of these security modes offers a tradeoff between security and performance. As you might expect, forcing the NFS client and server systems to checksum NFS payload data on each side of the connection (krb5i) will require some CPU resources.
PAGE 15
VI. Configure the Secure NFS Client Once the Secure NFS server is configured and filesystems are shared with the desired security modes, the final step is to configure the NFS clients to mount these filesystems using Secure NFS. This involves adding the “sec=mode” option to the mount syntax, whether that is the actual manual mount command, the /etc/fstab entry for filesystems mounted automatically at system boot time or AutoFS map entries for filesystems managed by AutoFS. A.
PAGE 16
B. Configuring Secure NFS filesystems via /etc/fstab Similar to the manual mount(1M) case, Secure NFS entries in the /etc/fstab file need to specify the desired security mode for each filesystem. Otherwise the client and server will negotiate the highest security level supported by both systems. In the example shown in Figure 17 the /etc/fstab entry specifies the desired security mode “krb5.” Figure 17 Configuring Secure NFS via /etc/fstab C.
PAGE 17
VII. Using Secure NFS with Serviceguard (Optional) There are very few differences between a standalone NFS server and a Serviceguard NFS Toolkit from a Secure NFS perspective. In both cases an NFS service principal must be added to the Kerberos realm using the hostname of the NFS server. In the Serviceguard NFS Toolkit case, this hostname would be one that maps to the virtual IP address used by the Serviceguard package running on the NFS cluster nodes.
PAGE 18
Figure 18 Mounting Secure NFS Filesystem from Serviceguard NFS Toolkit After the mount succeeds a klist on the client shows it now has the cached NFS service credentials of the NFS package “nfs/nfs-pkg1.rose.hp.com.
PAGE 19
For More Information http://hp.com/go/unix http://docs.hp.com/en/netcom.html#NFS%20Services http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ONCplus © 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.