Secure NFS on HP-UX 11i v3
9
IV. Prepare NFS Clients and Servers to use Kerberos
This section describes the steps needed to configure your HP-UX 11i v3 NFS client and server systems
to use Kerberos authentication and other enhanced security features.
A. Update ONCplus Software
ONCplus version B.11.31.05 contains a critical fix needed to use Kerberos authentication with the
Serviceguard NFS Toolkit product (i.e. Highly Available NFS Servers). It is highly recommended to
install ONCplus version B.11.31.05 or higher on all NFS clients and servers using Kerberos
authentication. ONCplus software updates may be downloaded from the following website:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ONCplus
B. Configure the Kerberos Client
HP-UX 11i v3 ships with built-in Kerberos v5 client support. Therefore, the only mandatory
configuration file on an 11i v3 Kerberos client is the /etc/krb5.conf file. Since my test
environment is using the HP-UX-based Kerberos Server shown earlier, I can simply copy the
/etc/krb5.conf file from the Kerberos Server to all of my NFS client and server systems. An
example of this is shown below in Figure 9.
Figure 9 Copy /etc/krb5.conf to NFS Clients and Servers
C. Activate Kerberos Entries in the /etc/nfssec.conf File
The /etc/nfssec.conf file is the configuration file for NFS security services. By default, Kerberos
security flavors are disabled in this file and must be un-commented. This can be done via vi(1) or any
other editor. Figure 10 shows the un-commented krb5 entries from the /etc/nfssec.conf file.
Figure 10 Uncomment /etc/nfssec.conf Kerberos Entries on NFS Clients and Servers