Secure Unix LAN (NIS and Kerberized NFSv4)

NFS Server

by ross at 09:26:23 on November 1, 2016

Add to /etc/rc.conf:

# Enable NFSv4 Server
mountd_flags="-n -S"

Create/update keytab file:

# kadmin
kadmin> add --random-key nfs/coffin.lan
root/admin@LAN's Password:
Max ticket life [3 days]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext nfs/coffin.lan


Kerberized NFSv4

Add to the beginning of /etc/exports this line:

V4: /   -sec=krb5i:krb5p
  • krb5 - Use KerberosV for user authentication, but only protect the RPC header from compromise.
  • krb5i - Use KerberosV for user authentication, but also use encrypted checksums on the RPC data to protect against "man in the middle" attacks involving replacement of the RPC data.
  • krb5p - Use KerberosV for user authentication, but also encrypt the RPC data, so that it isn't on the wire in clear text.

ZFS filesytem export

# zfs set \
  sharenfs="sec=krb5i:krb5p,alldirs,network=,mask=" \

Here I export /usr/home with -alldirs to the LAN. This will automatically update /etc/zfs/exports — read only file you can check to see all currently exported ZFS filesuystems.

UFS filesystem export

Add a line to /etc/exports:

/share        -ro -sec=krb5i:krb5p -maproot=root -network= -mask=

This will export an UFS filesystem.

Do the export

Restart mountd after exporting new fs:

# service mountd restart