Secure Unix LAN (NIS and Kerberized NFSv4)

Add a host to the LAN

by ross at 09:55:38 on November 1, 2016

Setup workstation

On the client machine add to /etc/rc.conf:

# Enable NIS client
nis_client_flags="-S lan,coffin.lan -m"

# Enable NFS client

-S parameter to nis_client is "-S <domain-name>,<server-name>".

Run vipw as root and add to the end of master.passwd:


Edit /etc/group, add to the end:


Copy /etc/krb5.conf from server to this machine:

# scp ross@coffin.lan:/etc/krb5.conf /etc/krb5.conf

Create keytab (if the hostname is slim.lan):

# kadmin
kadmin> add --random-key host/slim.lan
root/admin@LAN's Password: 
Max ticket life [3 days]:unlimited
Max renewable life [1 week]:unlimited
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/slim.lan

Now we want to mount Kerberized NFS at boot time. And root during boot does not have a Kerberos ticket which is required to mount Kerberized NFSv4. So we will give him a ticket (and any ticket will do) — add to /etc/rc.local this:

rm -f /tmp/krb5cc_*
kinit -l "1 year" -t /etc/krb5.keytab host/slim.lan


Edit /etc/pam.d/system and /etc/pam.d/sshd, uncomment these two lines:

auth            sufficient             no_warn try_first_pass
password        sufficient             no_warn try_first_pass

Leave the line #account required commented out.

There are other services in /etc/pam.d and /usr/local/etc/pam.d, for example, gdm or kdm4 which you might want to edit also.

Regualar NFS mounts

Add imported filesystems to /etc/fstab:

coffin.lan:/share       /share          nfs     ro,late,nfsv4,sec=rkb5i 0 0

Use FQDN not an ip address in sec=krb5* fstab mounts.

Create mount points:

# mkdir /share

Automounted NFS

We will use autofs for /usr/home. Add to /etc/rc.conf:


Add to the end of /etc/auto_master:

/usr/home       auto_home

Create /etc/auto_home:

*       -nfsv4,sec=krb5i        coffin.lan:/usr/home/&

And automounter will mount homes on access.