Go to main content
Oracle® ZFS Storage Appliance Security Guide, Release OS8.7.0

Exit Print View

Updated: July 2017

NFS Authentication and Encryption Options

In addition to the appliance's capability to use Kerberos to authenticate users for administrative login and for access to services, Kerberos can also be used to set security for individual shares that use the NFS protocol.

NFS shares are allocated with AUTH_SYS RPC authentication by default. You can also configure them to be shared with Kerberos security. Using AUTH_SYS authentication, the client’s UNIX User ID (UID) and Group ID (GID) are passed unauthenticated on the network by the NFS server. This authentication mechanism is easily defeated by anyone with root access on a client; therefore, it is best to use one of the other available security modes.

Additional access controls can be specified on a per-share basis to allow or disallow access to the shares for specific hosts, DNS domains, or networks.

Security Modes

Security modes are set on a per-share basis. The following list describes the available Kerberos security settings:

  • krb5 - End-user authentication through Kerberos V5

  • krb5i - krb5 plus integrity protection (data packets are tamper proof)

  • krb5p - krb5i plus privacy protection (data packets are tamper proof and encrypted)

Combinations of Kerberos types may also be specified in the security mode setting. The combination security modes let clients mount with any Kerberos types listed.

Kerberos Types

  • sys - System Authentication

  • krb5 - Kerberos v5 only, clients must mount using this type

  • krb5:krb5i - Kerberos v5, with integrity, clients may mount using any type listed

  • krb5i - Kerberos v5 integrity only, clients must mount using this type

  • krb5:krb5i:krb5p - Kerberos v5, with integrity or privacy, clients may mount using any type listed

  • krb5p - Kerberos v5 privacy only, clients must mount using this type