Merge branch 'master' of git://github.com/illumos/illumos-gate

[unleashed.git] / usr / src / man / man5 / nfssec.5

'\" te
.\" Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
.\" Copyright (c) 2001, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH NFSSEC 5 "Nov 20, 2014"
.SH NAME
nfssec \- overview of NFS security modes
.SH DESCRIPTION
.LP
The \fBmount_nfs\fR(1M) and \fBshare_nfs\fR(1M) commands each provide a way to
specify the security mode to be used on an \fBNFS\fR file system through the
\fBsec=\fR\fImode\fR option. \fImode\fR can be \fBsys\fR, \fBdh\fR, \fBkrb5\fR,
\fBkrb5i\fR, \fBkrb5p\fR, or \fBnone\fR. These security modes can also be added
to the automount maps. Note that \fBmount_nfs\fR(1M) and \fBautomount\fR(1M) do
not support \fBsec=none\fR at this time. \fBmount_nfs\fR(1M) allows you to
specify a single security mode; \fBshare_nfs\fR(1M) allows you to specify
multiple modes (or \fBnone\fR). With multiple modes, an NFS client can choose
any of the modes in the list.
.sp
.LP
The \fBsec=\fR\fImode\fR option on the \fBshare_nfs\fR(1M) command line
establishes the security mode of \fBNFS\fR servers. If the \fBNFS\fR connection
uses the \fBNFS\fR Version 3 protocol, the \fBNFS\fR clients must query the
server for the appropriate \fImode\fR to use. If the \fBNFS\fR connection uses
the \fBNFS\fR Version 2 protocol, then the \fBNFS\fR client uses the default
security mode, which is currently \fBsys\fR. \fBNFS\fR clients may force the
use of a specific security mode by specifying the \fBsec=\fR\fImode\fR option
on the command line. However, if the file system on the server is not shared
with that security mode, the client may be denied access.
.sp
.LP
If the \fBNFS\fR client wants to authenticate the \fBNFS\fR server using a
particular (stronger) security mode, the client wants to specify the security
mode to be used, even if the connection uses the \fBNFS\fR Version 3 protocol.
This guarantees that an attacker masquerading as the server does not compromise
the client.
.sp
.LP
The \fBNFS\fR security modes are described below. Of these, the \fBkrb5\fR,
\fBkrb5i\fR, \fBkrb5p\fR modes use the Kerberos V5 protocol for authenticating
and protecting the shared filesystems. Before these can be used, the system
must be configured to be part of a Kerberos realm. See \fBkerberos\fR(5).
.sp
.ne 2
.na
\fB\fBsys\fR\fR
.ad
.RS 9n
Use \fBAUTH_SYS\fR authentication. The user's UNIX user-id and group-ids are
passed in the clear on the network, unauthenticated by the \fBNFS\fR server.
This is the simplest security method and requires no additional administration.
It is the default used by Solaris \fBNFS\fR Version 2 clients and Solaris
\fBNFS\fR servers.
.sp
According to the ONC RPC specification (RFC 5531), \fBAUTH_SYS\fR
authentication supports up to 16 groups for a user only.  To workaround this
limitation, in the case where the \fBNFS\fR client supplied 16 groups in
\fBAUTH_SYS\fR and \fBNGROUPS_MAX\fR is more than 16, the \fBNFS\fR server
will lookup the user's groups on the server instead of relying on the list of
groups provided by the \fBNFS\fR client via \fBAUTH_SYS\fR.
.RE

.sp
.ne 2
.na
\fB\fBdh\fR\fR
.ad
.RS 9n
Use a Diffie-Hellman public key system (\fBAUTH_DES\fR, which is referred to as
\fBAUTH_DH\fR in the forthcoming Internet \fBRFC).\fR
.RE

.sp
.ne 2
.na
\fB\fBkrb5\fR\fR
.ad
.RS 9n
Use Kerberos V5 protocol to authenticate users before granting access to the
shared filesystem.
.RE

.sp
.ne 2
.na
\fB\fBkrb5i\fR\fR
.ad
.RS 9n
Use Kerberos V5 authentication with integrity checking (checksums) to verify
that the data has not been tampered with.
.RE

.sp
.ne 2
.na
\fB\fBkrb5p\fR\fR
.ad
.RS 9n
User Kerberos V5 authentication, integrity checksums, and privacy protection
(encryption) on the shared filesystem. This provides the most secure filesystem
sharing, as all traffic is encrypted. It should be noted that performance might
suffer on some systems when using \fBkrb5p\fR, depending on the computational
intensity of the encryption algorithm and the amount of data being transferred.
.RE

.sp
.ne 2
.na
\fB\fBnone\fR\fR
.ad
.RS 9n
Use null authentication (\fBAUTH_NONE\fR). \fBNFS\fR clients using
\fBAUTH_NONE\fR have no identity and are mapped to the anonymous user
\fBnobody\fR by \fBNFS\fR servers. A client using a security mode other than
the one with which a Solaris \fBNFS\fR server shares the file system has its
security mode mapped to \fBAUTH_NONE.\fR In this case, if the file system is
shared with \fBsec=none,\fR users from the client are mapped to the
anonymous user. The \fBNFS\fR security mode \fBnone\fR is supported by
\fBshare_nfs\fR(1M), but not by \fBmount_nfs\fR(1M) or \fBautomount\fR(1M).
.RE

.SH FILES
.ne 2
.na
\fB\fB/etc/nfssec.conf\fR\fR
.ad
.RS 20n
\fBNFS\fR security service configuration file
.RE

.SH SEE ALSO
.LP
\fBautomount\fR(1M), \fBkclient\fR(1M), \fBmount_nfs\fR(1M),
\fBshare_nfs\fR(1M), \fBrpc_clnt_auth\fR(3NSL), \fBsecure_rpc\fR(3NSL),
\fBnfssec.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5)
.SH NOTES
.LP
\fB/etc/nfssec.conf\fR lists the \fBNFS\fR security services. Do not edit this
file. It is not intended to be user-configurable. See \fBkclient\fR(1M).