Managing Network File Systems in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

How to Set Up a Secure NFS Environment With DH Authentication

  1. Assign a domain name.

    Make the domain name known to each system in the domain. For information about setting up a machine's NIS domain name, see How to Set a Machine’s NIS Domain Name in Working With Oracle Solaris 11.2 Directory and Naming Services: DNS and NIS .

    # domainname domain-name
  2. Establish public keys and secret keys for your clients' users by using the newkey command.
    # newkey -u username -s name-service

    Users can establish personal secure RPC passwords by using the chkey command.

    # chkey -p -s name-service -m mechanism

    When public keys and secret keys have been generated, the public keys and encrypted secret keys are stored in the publickey database.

    For information about these commands, see the newkey (1M) and the chkey (1) man pages.

  3. Verify that the name service is responding.
  4. Verify that the keyserv daemon of the key server is running.
    # ps -ef | grep keyserv
    root    100      1  16    Apr 11 ?        0:00 /usr/sbin/keyserv
    root   2215   2211   5  09:57:28 pts/0    0:00 grep keyserv

    If the daemon is not running, type the following to start the key server:

    # svcadm enable network/rpc/keyserv
  5. Decrypt and store the secret key.

    Usually, the login password is identical to the network password. In this situation, keylogin is not required. If the passwords are different, the users have to log in, and then run keylogin. You still need to use the keylogin -r command as root to store the decrypted secret key in /etc/.rootkey.

    Note -  You need to run keylogin -r if the root secret key changes or if the /etc/.rootkey file is lost.
  6. Set the security mode for the file system to be shared.

    For Diffie-Hellman authentication add the –sec=dh option to the command line.

    # share -F nfs -o sec=dh /export/home

    For more information about security modes, see the nfssec (5) man page.

  7. Update the automounter maps for the file system.

    If you are using Diffie-Hellman authentication, edit the auto_master data to include –sec=dh as a mount option in the appropriate entries.

    /home	auto_home	-nosuid,sec=dh

    When you reinstall, move, or upgrade a system, remember to save the /etc/.rootkey file if you do not establish new keys or change the keys for root. If you delete the /etc/.rootkey file, type the following command:

    # keylogin -r