A system administrator can implement policies that help secure the network. The level of security required will differ with each site. This section provides instructions for some tasks associated with network security.
Kerberos Version 4 authentication must be enabled on the network.
Become superuser.
Share the file system with Kerberos authentication.
# share -F nfs -o sec=krb4 /filesystem |
Become superuser.
Mount the file system with Kerberos authentication.
# mount -F nfs -o sec=krb4 server:resource mountpoint |
The -o sec=krb4 option mounts the file system with AUTH_KERB authentication.
If the NFS file system that you need to access has not been mounted, you need to acquire a ticket for superuser on the client before mounting it.
Become superuser.
Acquire a Kerberos ticket on the client.
# kinit root.hostname |
hostname is the name of the client system.
# kinit root.earth Password: # |
If the entry root.hostname for the client has been entered into the /etc/srvtab configuration file, you can use the ksrvtgt command to get a ticket for superuser. In this case, you are not required to give a superuser password. Consult the MIT documentation for information about initializing the /etc/srvtab file.
# ksrvtgt root.earth # |
Log in to the Kerberos service by using the kinit -l username command.
earth% kinit -l username |
The kinit command prompts you for the ticket lifetime (-l option), and your password. It prints out ticket status using the verbose mode (-v option).
earth% kinit -l jjones SunOS (earth) Kerberos Initialization for "jjones" Kerberos ticket lifetime (minutes): 480 Password: earth% |
earth% klist |
earth% klist Ticket file: /tmp/tkt8516 Principal: jjones@North.Abc.COM Issued Expires Principal Jan 14 20:40:54 Jan 15:04:40:54 krbtgt.North.Abc.COM@North.Abc.COM |
Type cd /mountpoint.
Access the mounted directory, just as you would any other mounted directory. You can list the files in the directory with the ls command, or list the Kerberos tickets with the klist command.
In the following example, user jjones can change to the mounted mntkrb directory and list the files in this directory.
The kerbd daemon has automatically secured a ticket on the user's behalf for the NFS server exporting the file system. At this point there are two valid tickets--the original ticket-granting ticket, and the server ticket. These two tickets are listed by klist.
earth% cd /mntkrb earth% ls -l /mntkrb -rw-r--r-- 1 marks staff 29 Jul 14 12:22 sports drwxr-xr-x 3 jjones staff 512 Sep 13 13:44 market earth% klist Ticket file: /tmp/tkt8516 Principal: jjones@North.Abc.COM Issued Expires Principal Jan 14 20:40:54 Jan 15:04:40:54 krbtgt.North.Abc.COM@North.Abc.COM Jan 14 20:43:21 Jan 15:04:43:21 nfs.pluto@North.Abc.COM |
Enter kdestroy.
Destroy Kerberos tickets when the session is over, so that an unauthorized user cannot to gain access to it. If you want to reinitiate Kerberos authentication, use the kinit command.
The following example shows how to destroy the Kerberos ticket. If the user then tries to change to or list a Kerberos-protected directory, the ticket server denies access.
earth% kdestroy Tickets destroyed earth% ls /mntkrb Can't get Kerberos key: No ticket file (tf_util) NFS getattr failed for server pluto: RPC: Authentication error can not access directory /mntkrb. |