Implementation of Kerberos Authentication with NFS

The following process assumes that the Kerberos key distribution center (KDC) is already installed on the network, using publicly available sources from MIT project Athena.

1. The /usr/sbin/kerbd daemon must be running on the NFS client and server.

   This daemon is normally started when needed by inetd. The rpcinfo command can be used to make sure that the kerbd service is registered. kerbd is the user-mode daemon. It interfaces with the kernel RPC and the KDC. It generates and validates authentication tickets.

2. The system administrator sets up the NFS server to use Kerberos authentication.

   The MIT Kerberos software is used to register the principal names in the Kerberos key distribution center (KDC) on the Kerberos server. The following entries are required:

   • root.hostname (required for each NFS client)

   • nfs.hostname (required for each NFS server)

3. The user mounts the shared file system.

   The user on the client must get a ticket for root on the client to mount the shared file system.

4. The user logs in to the Kerberos service, using the kinit command.

   The Kerberos authentication server authenticates the request, and grants a ticket for the ticket-granting service.

5. The user accesses the mounted directory.

   The kerbd daemon automatically secures a ticket on behalf of the client for the NFS server exporting the file system. At this point, there are two valid tickets, the original ticket-granting ticket and one for the server.

6. The user destroys the tickets at the end of the session to prevent them from being compromised.

   The kdestroy command destroys the user's active Kerberos authorization tickets by writing zeros to the file that contains the tickets. You can put the kdestroy command in your .logout file, so that all Kerberos tickets are automatically destroyed when you log out of the system.

7. If tickets have been destroyed before the session has finished, the user must request a new ticket with the kinit command.