NFS V4 host authentication

NFS servers always identify client hosts by IP addresses and host names, regardless of the authentication method that you use. When Kerberos authentication is the only allowed security method for an exported directory, the NFS client session must be properly authenticated before gaining access to any of the data in that directory.

NFS V4 normally authenticates clients at the user level rather than at the host level. The two user authentication methods are auth_sys (UNIX authentication) and RPCSEC_GSS (Kerberos). Under the auth_sys security method, the user is authenticated at the client, usually through a logon name and password. The NFS server trusts the user and group identities presented by its clients. When an NFS client and server are using Kerberos 5 authentication, the client and server must establish a security context for NFS requests. The security context is a data structure that indicates that the client and server have completed a mutual authentication procedure. If requested, the context also contains the encryption keys that are used for protecting exchanged data. The security context has a lifetime and might need to be refreshed by the client.

For more information about the RPCSEC_GSS authentication process, see the readme files, Network File System security.