Secure Network File System checklist

Edit online

This checklist helps ensure that secure NFS operates correctly.

  • When mounting a file system with the -secure option on a client, the server name must match the server host name in the /etc/hosts file. If a name server is being used for host-name resolution, make sure the host information returned by the name server matches the entry in the /etc/hosts file. Authentication errors result if these names do not match because the net names for machines are based on the primary entries in the /etc/hosts file and keys in the publickey map are accessed by net name.
  • Do not mix secure and nonsecure exports and mounts. Otherwise, file access might be determined incorrectly. For example, if a client machine mounts a secure file system without the -secure option or mounts an nonsecure system with the -secure option, users have access as nobody, rather than as themselves. This condition also occurs if a user unknown to NIS and that user attempts to create or modify files on a secure file system.
  • Because NIS must propagate a new map after each use of the chkey and newkey commands, use these commands only when the network is lightly loaded.
  • Do not delete the /etc/keystore file or the /etc/.rootkey file. If you reinstall, move, or upgrade a machine, save the /etc/keystore and /etc/.rootkey files.
  • Instruct users to use the yppasswd command rather than the passwd command to change passwords. Doing so keeps passwords and private keys synchronized.
  • Because the login command does not retrieve keys out of the publickey map for the keyserv daemon, the user must run the keylogin command. You may want to place the keylogin command in each user profile file to run the command automatically during login. The keylogin command requires users to enter their password again.
  • When you generate keys for the root user at each host with either the newkey -h or chkey command, you must run the keylogin command to pass the new keys to the keyserv daemon. The keys are stored in the /etc/.rootkey file, which is read by the keyserv daemon each time the daemon is started.
  • Periodically verify that the yppasswdd and ypupdated daemons are running on the NIS master server. These daemons are necessary for maintaining the publickey map.
  • Periodically verify that the keyserv daemon is running on all machines using secure NFS.