Kerberos NFSD for Linux?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Thu Feb 5 18:29:53 EST 2004


David Magda wrote:

>hartmans at MIT.EDU (Sam Hartman) writes:
>
>  
>
>>I think you may be out of luck.  Really the first version of NFS
>>that seems to be particularly secure is NFS version 4.  There are
>>some attempts to add Kerberos to previous versions of NFS, but I'm
>>unconvinced of the security of most of them.
>>    
>>
>
>Solaris 8 (and above?) has nfssec(5). From the man page:
>
>     The  NFS security modes are described as follows:
>
>     sys   Use AUTH_SYS authentication. The user's  UNIX  user-id
>           and  group-ids are passed in the clear on the network,
>           unauthenticated by the  NFS server.  This is the  sim-
>           plest  security  method  and  requires  no  additional
>           administration. It is the default used by Solaris  NFS
>           Version 2 clients and Solaris NFS servers.
>
>     dh    Use a Diffie-Hellman public  key  system  (  AUTH_DES,
>           which  is  referred  to as  AUTH_DH in the forthcoming
>           Internet  RFC).
>
>     krb4  Use the Kerberos Version  4  authentication  system  (
>           AUTH_KERB,  which  is  referred to as  AUTH_KERB4 in a
>           forthcoming Internet  RFC).
>

I believe this is a mistake in the docs.  Solaris 8 (or later) do NOT 
support
Kerberos V4, only V5.

They do support Kerberos V5.  Download the SEAM package
for Solaris 8 (free from www.sun.com).   Also get the "encryption pack"
to enable privacy (i.e. encryption) protection - this is only for Solaris 8,
encryption pack is not needed for Solaris 9.

SEAM for Solaris 8 includes NFSv3 with Kerberos  in 3 modes -
authentication only, auth + integrity protection, and auth+ integ + privacy.

There are also documentatin books at docs.sun.com that explain how
to configure and use NFS with Kerberos.

-Wyllys

>
>     none  Use  null authentication  (  AUTH_NONE).  NFS  clients
>           using   AUTH_NONE  have  no identity and are mapped to
>           the anonymous user nobody by   NFS servers.  A  client
>           [...]
>
>See also secure_rpc(3NSL). This of course doesn't help the OP.
>
>  
>




More information about the Kerberos mailing list