Manualshelf

Secure NFS on HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
10111213141516171819
13
Each NFS server’s keytab file needs to contain a copy of that server’s NFS credential as well as any
NFS credentials associated with Serviceguard NFS Toolkit packages that could potentially run on the
server. The example in Figure 14 shows the /etc/krb5.keytab file on my test server
“atcux12.rose.hp.com” would contains the following keys:
nfs/atcux12.rose.hp.com@ATC.VSSN.HP
nfs/nfs-pkg1.rose.hp.com@ATC.VSSN.HP
This would allow the server to authenticate NFS clients that are mounting filesystems using either the
server’s real hostname “atcux12.rose.hp.com” or mounting filesystems shared via the Serviceguard
NFS Toolkit package hostname “nfs-pkg1.rose.hp.com”. Once the keytab file is copied to system
atcux12.rose.hp.com, the klist(1) command can be used to verify the keys are intact. Figure 15
shows an example of this.
Figure 15 klist(1) Displaying /etc/krb5.keytab File
The same procedure would be used to extract the keys
nfs/atcux13.rose.hp.com@ATC.VSSN.HP and
nfs/nfs-pkg1.rose.hp.com@ATC.VSSN.HP and stored in the /etc/krb5.keytab file on server
atcux13.rose.hp.com. Again, both NFS servers need to have a copy of the Kerberos key
nfs/nfs-pkg1.rose.hp.com@ATC.VSSN.HP in their respective keytab file since either server could
potentially run the Serviceguard NFS package associated with hostname “nfs-pkg1.rose.hp.com.
B. Configure Shared Filesystems with Desired Security Modes
The final step in configuring the Secure NFS server is sharing filesystems using the desired security
mode. On 11i v3, the mount(1M) and share(1M) commands have been enhanced to support the
new “sec=mode” option. This allows administrators to configure different security flavors for each
individual NFS filesystem. The share_nfs(1M) man page includes many examples of share syntax.
Table 1 shows the various security flavors supported by NFS on 11i v3.
Table 1 Supported Secure NFS Security Flavors
Security Flavor Description
none
NULL Authentication, i.e. no security
sys
The user's UNIX user-id and group-ids are passed in the clear on the
network. This is the default security flavor.
dh
Diffie-Hellman public key security
krb5
Use Kerberos V5 protocol to authenticate users before granting access to the
shared filesystem.
krb5i
Use Kerberos V5 authentication with integrity checking (checksums) to verify
that the data has not been tampered with.
krb5p
User Kerberos V5 authentication, integrity checksums, and privacy protection
(encryption) on the shared filesystem.