Oracle ZFS Storage Appliance Security Overview
Active Directory (AD) Domain Mode Authentication
Administrative Operations via the Microsoft Management Console (MMC)
Delay Engine for Timing Attacks
Hypertext Transfer Protocol (HTTP)
Network Data Management Protocol (NDMP)
SSH File Transfer Protocol (SFTP)
NFS shares are allocated with AUTH_SYS RPC authentication by default. You can also configure them to be shared with Kerberos security. Using AUTH_SYS authentication, the client’s UNIX uid and gid are passed unauthenticated on the network by the NFS server. This authentication mechanism is easily defeated by anyone with root access on a client therefore it is best to use one of the other available security modes.
Additional access controls can be specified on a per share basis to allow or disallow access to the shares for specific hosts, DNS domains,or networks.
Security modes are set on per-share basis . The following list describes the available Kerberos security settings.
krb5 - End-user authentication through Kerberos V5
krb5i - krb5 plus integrity protection (data packets are tamper proof)
krb5p - krb5i plus privacy protection (data packets are tamper proof and encrypted)
Combinations of Kerberos types may also be specified in the security mode setting. The combination security modes let clients mount with any Kerberos types listed.
sys - System Authentication
krb5 - Kerberos v5 only, clients must mount using this type.
krb5:krb5i - Kerberos v5, with integrity, clients may mount using any type listed.
krb5i - Kerberos v5 integrity only, clients must mount using this type.
krb5:krb5i:krb5p - Kerberos v5, with integrity or privacy, clients may mount using any type listed.
krb5p - Kerberos v5 privacy only, clients must mount using this type.