Manualshelf

Secure NFS on HP-UX 11i v3

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
10111213141516171819
14
The most common share security modes for Secure NFS are:
krb5 Kerberos v5 Authentication
krb5i Kerberos v5 Authentication + Data Checksums
krb5p Kerberos v5 Authentication + Data Checksums + Data Encryption
Each of these security modes offers a tradeoff between security and performance. As you might
expect, forcing the NFS client and server systems to checksum NFS payload data on each side of the
connection (krb5i) will require some CPU resources. Likewise, forcing the NFS client and server to not
only checksum the data but also encrypt the payload data (krb5p) requires even more system
resources. Overall NFS throughput will likely decrease when krb5i or krb5p security modes are used.
The actual amount of overhead caused by these enhanced security mechanisms is difficult to quantify
because it depends greatly on client and server hardware as well as the application workload.
To enable Secure NFS for a specific NFS filesystem, modify the share syntax for the filesystem in the
/etc/dfs/dfstab file with the desired security mode and then re-share the filesystem. Optionally,
you can manually issue the share command with the appropriate syntax. Below are several examples
of share syntax with different Secure NFS modes.
Share /export with read/write access to all clients that authenticate with Kerberos v5
# share F nfs o sec=krb5 /export
Share /tmp with read/write access to all clients that authenticate with Kerberos v5 and read-
only access to clients that authenticate with AUTH_SYS
# share F nfs o sec=krb5,rw,sec=sys,ro /tmp
Share /tmp with read/write access to only clients host1 and host2, require that those hosts
authenticate with Kerberos v5, and checksum the data on both the sending and receiving
ends of the connection
# share F nfs o sec=krb5i,rw=host1:host2 /tmp
Share /export with read/write access to the netgroup “accounting”, require that those hosts
authenticate with Kerberos v5, checksum the data on both the sending and receiving ends of
the connection, and encrypt the data before it traverses the network
# share F nfs o sec=krb5p,rw=accounting /export
For my test environment, I am sharing the “/memfs” filesystem with Kerberos v5 Authentication and I
only want NFS client “atcux10.rose.hp.com” to be able to access this filesystem. Additionally, I want
the root user on system atcux10.rose.hp.com to have root privileges when accessing the “/memfs”
filesystem via Secure NFS. Therefore, my desired share syntax would be:
shareo sec=krb5,rw=atcux10.rose.hp.com,root=atcux10.rose.hp.com /memfs
Again, the share_nfs(1M) man page contains many other examples of share syntax.