The mount_nfs(8) and share_nfs(8) commands each provide a way to
specify the security mode to be used on an NFS file system through the
sec=mode option. mode can be sys, dh,
krb5, krb5i, krb5p, or none. These security modes
can also be added to the automount maps. Note that mount_nfs(8) and
automount(8) do not support sec=none at this time.
mount_nfs(8) allows you to specify a single security mode;
share_nfs(8) allows you to specify multiple modes (or none).
With multiple modes, an NFS client can choose any of the modes in the list.
The sec=mode option on the share_nfs(8)
command line establishes the security mode of NFS servers. If the
NFS connection uses the NFS Version 3 protocol, the NFS
clients must query the server for the appropriate mode to use. If the
NFS connection uses the NFS Version 2 protocol, then the
NFS client uses the default security mode, which is currently
sys. NFS clients may force the use of a specific security mode
by specifying the sec=mode option on the command line.
However, if the file system on the server is not shared with that security
mode, the client may be denied access.
If the NFS client wants to authenticate the NFS
server using a particular (stronger) security mode, the client wants to
specify the security mode to be used, even if the connection uses the
NFS Version 3 protocol. This guarantees that an attacker masquerading
as the server does not compromise the client.
The NFS security modes are described below. Of these, the
krb5, krb5i, krb5p modes use the Kerberos V5 protocol
for authenticating and protecting the shared filesystems. Before these can
be used, the system must be configured to be part of a Kerberos realm. See
authentication. The user's UNIX
user-id and group-ids are passed in the clear on the network, unauthenticated
by the NFS
server. This is the simplest security method and requires no
additional administration. It is the default used by Solaris NFS
Version 2 clients and Solaris NFS
According to the ONC RPC specification (RFC 5531), AUTH_SYS
authentication supports up to 16 groups for a user only. To workaround this
limitation, in the case where the NFS client supplied 16 groups in
AUTH_SYS and NGROUPS_MAX is more than 16, the NFS
server will lookup the user's groups on the server instead of relying on the
list of groups provided by the NFS client via AUTH_SYS.
Use a Diffie-Hellman public key system (AUTH_DES,
which is referred to as AUTH_DH in the forthcoming Internet
Use Kerberos V5 protocol to authenticate users before
granting access to the shared filesystem.
Use Kerberos V5 authentication with integrity checking
(checksums) to verify that the data has not been tampered with.
User Kerberos V5 authentication, integrity checksums, and
privacy protection (encryption) on the shared filesystem. This provides the
most secure filesystem sharing, as all traffic is encrypted. It should be
noted that performance might suffer on some systems when using krb5p,
depending on the computational intensity of the encryption algorithm and the
amount of data being transferred.
Use null authentication (AUTH_NONE
clients using AUTH_NONE
have no identity and are mapped to the
anonymous user nobody
servers. A client using a security
mode other than the one with which a Solaris NFS
server shares the file
system has its security mode mapped to AUTH_NONE.
In this case, if the
file system is shared with sec=none,
users from the client are mapped
to the anonymous user. The NFS
security mode none
, but not by mount_nfs(8)