How to Set Up a Secure NFS Environment With DH Authentication

1. Assign a domain name.

   Make the domain name known to each system in the domain. For information about setting up a machine's NIS domain name, see How to Set a Machine’s NIS Domain Name in Working With Oracle Solaris 11.2 Directory and Naming Services: DNS and NIS .

   # domainname domain-name

2. Establish public keys and secret keys for your clients' users by using the newkey command.

   # newkey -u username -s name-service
     

   Users can establish personal secure RPC passwords by using the chkey command.

   # chkey -p -s name-service -m mechanism
     

   When public keys and secret keys have been generated, the public keys and encrypted secret keys are stored in the publickey database.

   For information about these commands, see the newkey (1M) and the chkey (1) man pages.

3. Verify that the name service is responding.

   For example:

   • If you are running NIS, verify that the ypbind daemon is running. For more information, see ypbind Not Running on Client in Working With Oracle Solaris 11.2 Directory and Naming Services: DNS and NIS .

   • If you are running LDAP, verify that the ldap_cachemgr daemon is running. For more information, see Monitoring LDAP Client Status in Working With Oracle Solaris 11.2 Directory and Naming Services: LDAP .

4. Verify that the keyserv daemon of the key server is running.

   # ps -ef | grep keyserv
   root    100      1  16    Apr 11 ?        0:00 /usr/sbin/keyserv
   root   2215   2211   5  09:57:28 pts/0    0:00 grep keyserv

   If the daemon is not running, type the following to start the key server:

   # svcadm enable network/rpc/keyserv

5. Decrypt and store the secret key.

   Usually, the login password is identical to the network password. In this situation, keylogin is not required. If the passwords are different, the users have to log in, and then run keylogin. You still need to use the keylogin -r command as root to store the decrypted secret key in /etc/.rootkey.

   ---

   Note -  You need to run keylogin -r if the root secret key changes or if the /etc/.rootkey file is lost.

   ---

6. Set the security mode for the file system to be shared.

   For Diffie-Hellman authentication add the –sec=dh option to the command line.

   # share -F nfs -o sec=dh /export/home

   For more information about security modes, see the nfssec (5) man page.

7. Update the automounter maps for the file system.

   If you are using Diffie-Hellman authentication, edit the auto_master data to include –sec=dh as a mount option in the appropriate entries.

   /home	auto_home	-nosuid,sec=dh

   When you reinstall, move, or upgrade a system, remember to save the /etc/.rootkey file if you do not establish new keys or change the keys for root. If you delete the /etc/.rootkey file, type the following command:

   # keylogin -r