NFS Howto Submissions nfs krb5
From Linux NFS
(→Kerberos and NFS) |
(→Kerberos and NFS) |
||
Line 1: | Line 1: | ||
==== Kerberos and NFS ==== | ==== Kerberos and NFS ==== | ||
- | Kerberos can be used to provide both '''mutual authentication''' (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the '''RPCSEC_GSS''' security flavor, defined by '''RFC 2203'''. Please note that '''RPCSEC_GSS''' is designed to provide much more than Kerberos authentication for NFS, but discussion of other authentication types is outside the scope of this document. This subsection of [NFS_Howto_Security NFS Howto: Security] attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points. | + | Kerberos can be used to provide both '''mutual authentication''' (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the '''RPCSEC_GSS''' security flavor, defined by '''RFC 2203'''. Please note that '''RPCSEC_GSS''' is designed to provide much more than Kerberos authentication for NFS, but discussion of other authentication types is outside the scope of this document. This subsection of [[NFS_Howto_Security NFS Howto: Security]] attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points. |
===== Requirements ===== | ===== Requirements ===== | ||
===== Kerberos Configuration ===== | ===== Kerberos Configuration ===== |
Revision as of 14:17, 11 April 2006
Contents |
Kerberos and NFS
Kerberos can be used to provide both mutual authentication (validating both the client and server prior to transmitting data) and encryption for data sent via NFS. This is implemented with the RPCSEC_GSS security flavor, defined by RFC 2203. Please note that RPCSEC_GSS is designed to provide much more than Kerberos authentication for NFS, but discussion of other authentication types is outside the scope of this document. This subsection of NFS_Howto_Security NFS Howto: Security attempts to provide a complete and accurate cookbook configuration guide for how to get Kerberos validation / authentication working with NFSv3/NFSv4 mount points.
Requirements
Kerberos Configuration
NFSv3 Specifics
NFSv4 Specifics
Kerberos can be used to encrypt data
Kerberos 5 setup for NFSv4
The following is only necessary if you wish to use Kerberos 5 (krb5). (Which is a good idea.) We assume you have a Kerberos KDC installed somewhere and have configured Kerberos on your client and server. Create machine credentials for the client. This means creating a Kerberos V5 principal/instance name of the form nfs/dns.name.of.client@REALM, and either adding a key for this principal to an existing /etc/krb5.keytab or creating an /etc/krb5.keytab. Note: only the encryption type of des-cbc-crc is functional so far in the kernel, so add only this type of key.
kadmin: addprinc -randkey nfs/myclient.mydomain kadmin: ktadd -e des-cbc-crc:normal -k /tmp/keytab nfs/myclient.mydomain Now copy the new keytab /tmp/keytab to /etc/krb5.keytab on the client. Repeat steps 2 and 3 for the server, this time adding a key for nfs/dns.name.of.server@REALM to the keytab on the server. Things to be aware of when using Kerberos:
The system clocks on your machines must be set to the correct time; install ntp to make sure this is the case. The /etc/hosts file must list the fully-qualified domain name as the first entry on the line with the machine's IP address, and the machine's name must not be include on the localhost line. The /etc/services file must list the nfs service (port 2049). Something like the following: nfs 2049/tcp nfsd # Network File System nfs 2049/udp nfsd # Network File System