|Skip Navigation Links|
|Exit Print View|
|Managing Network File Systems in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library|
To use the Secure NFS system, all the computers that you are responsible for must have a domain name. Typically, a domain is an administrative entity of several computers that is part of a larger network. If you are running a name service, you should also establish the name service for the domain. See Oracle Solaris Administration: Naming and Directory Services.
Kerberos V5 authentication is supported by the NFS service. Chapter 19, Introduction to the Kerberos Service, in Oracle Solaris 11.1 Administration: Security Services discusses the Kerberos service.
You can also configure the Secure NFS environment to use Diffie-Hellman authentication. Chapter 18, Network Services Authentication (Tasks), in Oracle Solaris 11.1 Administration: Security Services discusses this authentication service.
Make the domain name known to each computer in the domain.
Use the newkey command. Have each user establish his or her own secure RPC password by using the chkey command.
When public keys and secret keys have been generated, the public keys and encrypted secret keys are stored in the publickey database.
If you are running NIS, verify that the ypbind daemon is running.
Type the following command.
# ps -ef | grep keyserv root 100 1 16 Apr 11 ? 0:00 /usr/sbin/keyserv root 2215 2211 5 09:57:28 pts/0 0:00 grep keyserv
If the daemon is not running, start the key server by typing the following:
# svcadm enable network/rpc/keyserv
Usually, the login password is identical to the network password. In this situation, keylogin is not required. If the passwords are different, the users have to log in, and then run keylogin. You still need to use the keylogin -r command as root to store the decrypted secret key in /etc/.rootkey.
Note - You need to run keylogin -r if the root secret key changes or if /etc/.rootkey is lost.
For Diffie-Hellman authentication add the sec=dh option to the command line.
# share -F nfs -o sec=dh /export/home
For more information about security modes, see the nfssec(5) man page.
Edit the auto_master data to include sec=dh as a mount option in the appropriate entries for Diffie-Hellman authentication:
/home auto_home -nosuid,sec=dh
When you reinstall, move, or upgrade a computer, remember to save /etc/.rootkey if you do not establish new keys or change the keys for root. If you do delete /etc/.rootkey, you can always type the following:
# keylogin -r