Manualshelf

System information

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX - ONLINE STORAGE RECONFIGURATION GUIDE BETA
71727374757677787980
Wildcards should be used sparingly when exporting directories through NFS, as it is possible for the
scope of the wildcard to encompass more systems than intended.
It is also possible to restrict access to the rpcbi nd
[3]
service with TCP wrappers. Creating rules with
i ptabl es can also limit access to ports used by rpcbi nd , rpc. mo untd , and rpc. nfsd .
For more information on securing NFS and rpcbi nd , refer to man i ptabl es.
9.8.2. NFS securit y wit h AUT H_G SS
The release of NFSv4 brought a revolution to NFS security by mandating the implementation of
RPCSEC_GSS and the Kerberos version 5 GSS-API mechanism. However, RPCSEC_GSS and the
Kerberos mechanism are also available for all versions of NFS.
With the RPCSEC_GSS Kerberos mechanism, the server no longer depends on the client to correctly
represent which user is accessing the file, as is the case with AUTH_SYS. Instead, it uses
cryptography to authenticate users to the server, preventing a malicious client from impersonating a
user without having that user's kerberos credentials.
Note
It is assumed that a Kerberos ticket-granting server (KDC) is installed and configured correctly,
prior to configuring an NFSv4 server. Kerberos is a network authentication system which
allows clients and servers to authenticate to each other through use of symmetric encryption
and a trusted third party, the KDC. For more information on Kerberos see Red Hat's Identity
Management Guide.
To set up RPCSEC_GSS, use the following procedure:
Pro ced u re 9 .4 . Set u p RPCSEC _G SS
1. Create nfs/cl i ent. mydomain@ MYREALM and nfs/server. mydomain@ MYREALM
principals.
2. Add the corresponding keys to keytabs for the client and server.
3. On the server side, add sec= krb5,krb5i ,krb5p to the export. To continue allowing
AUTH_SYS, add sec= sys,krb5,krb5i ,krb5p instead.
4. On the client side, add sec= krb5 (or sec= krb5i , or sec= krb5p depending on the set up)
to the mount options.
For more information, such as the difference between krb5, krb5i , and krb5p, refer to the expo rts
and nfs man pages or to Section 9.5, “ Common NFS Mount Options .
For more information on the R P CSEC _G SS framework, including how rpc. svcg ssd and rpc. g ssd
inter-operate, refer to http://www.citi.umich.edu/projects/nfsv4/gssd/.
9.8 .2 .1 . NFS se curit y wit h NFSv4
NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model,
because of the former's features and wide deployment.
Red Hat Ent erprise Lin ux 6 St orage Admin ist rat io n G uide
70