NFS Howto Submissions nfs krb5
From Linux NFS
(→Kerberos and NFS) |
(→Requirements) |
||
(16 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
==== Kerberos and NFS ==== | ==== Kerberos and NFS ==== | ||
- | Kerberos can be used to provide both '''mutual authentication''' (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the '''RPCSEC_GSS''' security flavor of ONC RPC protocol, defined by RFC 1831 | + | Kerberos can be used to provide both '''mutual authentication''' (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the '''RPCSEC_GSS''' security flavor of ONC RPC protocol, defined by RFC 1831 and RFC 2203. This sub-section of [[NFS_Howto_Security|NFS Howto: Security]] attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points. |
===== Requirements ===== | ===== Requirements ===== | ||
+ | *''/etc/services'' should have entries in it for port '''2049''' for both TCP and UDP NFS. This should be present in virtually every modern version of Linux, but it warrants mentioning. | ||
*A working '''[http://kerberos.mit.edu Kerberos]''' realm for all of your NFS clients and server to authenticate against. | *A working '''[http://kerberos.mit.edu Kerberos]''' realm for all of your NFS clients and server to authenticate against. | ||
- | *A working '''[http://www.ntp.org NTP]''' configuration on all hosts participating in your '''Kerberos''' realm. | + | *A working '''[http://www.ntp.org NTP]''' configuration on all hosts participating in your '''Kerberos''' realm. This will insure that the system clocks on your machines are set to matching times. |
+ | *Proper forward/reverse name FQDN/IP resolution must be working in DNS, or, at a minimum, the '''/etc/hosts''' file must contain this information. The machine's hostname must also not be included on the ''localhost'' line, aka: | ||
+ | <pre> | ||
+ | [cmsmith@client ~]$ cat /etc/hosts | ||
+ | # Do not remove the following line, or various programs | ||
+ | # that require network functionality will fail. | ||
+ | 127.0.0.1 localhost.localdomain localhost | ||
+ | 10.161.131.10 client.sourceforge.net client | ||
+ | </pre> | ||
+ | Is ok. Whereas this: | ||
+ | <pre> | ||
+ | [cmsmith@client ~]$ cat /etc/hosts | ||
+ | # Do not remove the following line, or various programs | ||
+ | # that require network functionality will fail. | ||
+ | 127.0.0.1 localhost.localdomain client localhost | ||
+ | </pre> | ||
+ | is not. | ||
===== Kerberos Configuration ===== | ===== Kerberos Configuration ===== | ||
+ | To use Kerberized NFS, we need to add the following into ''/etc/sysconfig/nfs'' to start the necessary additional daemons on the client: | ||
+ | <pre> | ||
+ | # echo "SECURE_NFS=YES" >> /etc/sysconfig/nfs | ||
+ | </pre> | ||
+ | Next, create an NFS principal for the host(s) that will be involved in NFS transactions. This means that ''both'' the NFS server and the NFS client need to have a special principal in place. Create them as follows: | ||
+ | <pre> | ||
+ | # kadmin | ||
+ | Authenticating as principal root/admin@SOURCEFORGE.NET with password. | ||
+ | Password for root/admin@SOURCEFORGE.NET: | ||
+ | kadmin: addprinc -randkey nfs/client.sourceforge.net | ||
+ | WARNING: no policy specified for nfs/client.sourceforge.net@SOURCEFORGE.NET; defaulting to no policy | ||
+ | Principal "nfs/client.sourceforge.net@SOURCEFORGE.COM" created. | ||
+ | </pre> | ||
+ | On each of the clients, download the necessary principals to the local keytab file using '''ktadd'''. As an example, for the NFS client secondus.rdu.kronos.net would require you to run: | ||
+ | <pre> | ||
+ | # kadmin | ||
+ | kadmin: ktadd nfs/client.sourceforge.net | ||
+ | Entry for principal nfs/client.sourceforge.net with kvno 4, encryption type DES cbc mode with CRC-32 | ||
+ | added to keytab WRFILE:/etc/krb5.keytab. | ||
+ | </pre> | ||
+ | |||
===== NFSv3 Specifics ===== | ===== NFSv3 Specifics ===== | ||
===== NFSv4 Specifics ===== | ===== NFSv4 Specifics ===== | ||
- | + | ==== SPKM and NFS ==== | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + |
Latest revision as of 16:36, 11 April 2006
Contents |
Kerberos and NFS
Kerberos can be used to provide both mutual authentication (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the RPCSEC_GSS security flavor of ONC RPC protocol, defined by RFC 1831 and RFC 2203. This sub-section of NFS Howto: Security attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points.
Requirements
- /etc/services should have entries in it for port 2049 for both TCP and UDP NFS. This should be present in virtually every modern version of Linux, but it warrants mentioning.
- A working Kerberos realm for all of your NFS clients and server to authenticate against.
- A working NTP configuration on all hosts participating in your Kerberos realm. This will insure that the system clocks on your machines are set to matching times.
- Proper forward/reverse name FQDN/IP resolution must be working in DNS, or, at a minimum, the /etc/hosts file must contain this information. The machine's hostname must also not be included on the localhost line, aka:
[cmsmith@client ~]$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 10.161.131.10 client.sourceforge.net client
Is ok. Whereas this:
[cmsmith@client ~]$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain client localhost
is not.
Kerberos Configuration
To use Kerberized NFS, we need to add the following into /etc/sysconfig/nfs to start the necessary additional daemons on the client:
# echo "SECURE_NFS=YES" >> /etc/sysconfig/nfs
Next, create an NFS principal for the host(s) that will be involved in NFS transactions. This means that both the NFS server and the NFS client need to have a special principal in place. Create them as follows:
# kadmin Authenticating as principal root/admin@SOURCEFORGE.NET with password. Password for root/admin@SOURCEFORGE.NET: kadmin: addprinc -randkey nfs/client.sourceforge.net WARNING: no policy specified for nfs/client.sourceforge.net@SOURCEFORGE.NET; defaulting to no policy Principal "nfs/client.sourceforge.net@SOURCEFORGE.COM" created.
On each of the clients, download the necessary principals to the local keytab file using ktadd. As an example, for the NFS client secondus.rdu.kronos.net would require you to run:
# kadmin kadmin: ktadd nfs/client.sourceforge.net Entry for principal nfs/client.sourceforge.net with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.