Secure Unix LAN (NIS and Kerberized NFSv4)

NFS Server

by ross at 09:26:23 on November 1, 2016

Add to /etc/rc.conf:

# Enable NFSv4 Server
nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"
rpcbind_enable="YES"
gssd_enable="YES"
mountd_enable="YES"
mountd_flags="-n -S"

Create/update keytab file:

# kadmin
kadmin> add --random-key nfs/coffin.lan
[email protected]'s Password:
Max ticket life [3 days]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext nfs/coffin.lan

Reboot

Kerberized NFSv4

Add to the beginning of /etc/exports this line:

V4: /   -sec=krb5i:krb5p
  • krb5 - Use KerberosV for user authentication, but only protect the RPC header from compromise.
  • krb5i - Use KerberosV for user authentication, but also use encrypted checksums on the RPC data to protect against "man in the middle" attacks involving replacement of the RPC data.
  • krb5p - Use KerberosV for user authentication, but also encrypt the RPC data, so that it isn't on the wire in clear text.

ZFS filesytem export

# zfs set \
  sharenfs="sec=krb5i:krb5p,alldirs,network=192.168.10.0,mask=255.255.255.0" \
  system/usr/home

Here I export /usr/home with -alldirs to the LAN. This will automatically update /etc/zfs/exports — read only file you can check to see all currently exported ZFS filesuystems.

UFS filesystem export

Add a line to /etc/exports:

/share        -ro -sec=krb5i:krb5p -maproot=root -network=192.168.10.0 -mask=255.255.255.0

This will export an UFS filesystem.

Do the export

Restart mountd after exporting new fs:

# service mountd restart

 

Comments