碼上快樂

相關內容    簡體    繁體

Linux nfs使用krb5的方式安全掛載

本文轉載自   查看原文   2019-04-16 23:32   1653    rhce

配置安全的網絡nfs文件共享服務

由於本人是使用的rhce模擬考試環境來做的本題目,所以文中說到的實驗腳本和評分腳本,以及krb5.keytab文件只有我本套環境獨有,如果自己做練習可以不去使用實驗腳本和評分腳本,直接進行配置服務並掛載就可以。

對此套環境有興趣的朋友可以給我留言,看到必回復。

1、首先

服務端(server0)和客戶端(desktop0)執行實驗腳本

[root@server0 ~]# lab nfskrb5 setup
[root@desktop0 ~]# lab nfskrb5 setup

2、配置服務端(server0)

2.1 下載kerberos秘鑰

[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
--2019-04-16 22:51:45--  http://classroom.example.com/pub/keytabs/server0.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242 (1.2K)
Saving to: ‘/etc/krb5.keytab’

100%[==============================================================================>] 1,242       --.-K/s   in 0s      

2019-04-16 22:51:45 (130 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]

 

2.2 修改nfs配置文件

[root@server0 ~]# vim /etc/sysconfig/nfs 
...
RPCNFSDARGS="-V 4.2"
...

 

使用4.2版本,nfs掛載的時候可以將selinux安全上下文同時導出

2.3 啟動nfs-secure-server服務並設置開機自動啟動

[root@server0 ~]# systemctl start nfs-secure-server
[root@server0 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server0 ~]#

 

2.4 創建共享文件夾並且將文件夾寫入/etc/exportfs文件中

[root@server0 ~]# mkdir /securenfs
[root@server0 ~]# chown nfsnobody /securenfs/
[root@server0 ~]# ll -d !$
ll -d /securenfs/
drwxr-xr-x. 2 nfsnobody root 6 Apr 16 22:57 /securenfs/

[root@server0 ~]# vim /etc/exports
...
/securenfs desktop0(sec=krb5p,rw)
...

[root@server0 ~]# exportfs -r
[root@server0 ~]# exportfs 
/securenfs        desktop0.example.com

 

2.5 配置防火牆

[root@server0 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client nfs ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

 

3、配置客戶端(dekstop0)

3.1 下載秘鑰文件

[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

 

3.2 啟動nfs-secure 服務並開機自啟動

[root@desktop0 ~]# systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop0 ~]# systemctl start nfs-secure

 

3.3 創建掛載點並設定開機自動掛載

[root@desktop0 ~]# mkdir /mnt/secureshare
[root@desktop0 ~]# vim /etc/fstab 

server0:/securenfs /mnt/secureshare     nfs     defaults,rw,v4.2,sec=krb5p      0       0

 

4、測試

4.1 在server0上建立測試文件

[root@server0 ~]# echo "Hello World" >> /securenfs/testfile.txt
臨時更改該文件的selinux安全上下文,更改文件的擁有者和權限
[root@server0 ~]# chcon -t public_content_t /securenfs/testfile.txt 
[root@server0 ~]# chown ldapuser0:ldapuser0 /securenfs/testfile.txt 
[root@server0 ~]# chmod 644 /securenfs/testfile.txt 
[root@server0 ~]# ll -Z !$
ll -Z /securenfs/testfile.txt
-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /securenfs/testfile.txt
[root@server0 ~]#

 

4.2 desktop0查看該文件

因為前邊加了-V 4.2的參數,所以public_content_t這個規則也被掛載過來來了

[root@desktop0 ~]# ll -Z /mnt/secureshare/testfile.txt 
-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /mnt/secureshare/testfile.txt
[root@desktop0 ~]#

 

4.3用ldapuser0用戶測試向該文件寫入內容

[root@desktop0 ~]# ssh ldapuser0@localhost
ldapuser0@localhost's password: 
Creating home directory for ldapuser0.
[ldapuser0@desktop0 ~]$ echo "I'm write" >> /mnt/secureshare/testfile.txt 
[ldapuser0@desktop0 ~]$ cat !$
cat /mnt/secureshare/testfile.txt
Hello World
I'm write
[ldapuser0@desktop0 ~]$

 

用管理員用戶寫入無法寫入該文件

[root@desktop0 ~]# echo "test" >> /mnt/secureshare/testfile.txt 
-bash: /mnt/secureshare/testfile.txt: Permission denied
[root@desktop0 ~]#

 

因為當前是用kerberos安全認證

5、提交評分腳本

[root@server0 ~]# lab nfskrb5 grade
Grading Kerberos NFS...
Checking correct krb5.keytab exists... PASS
Checking for correct RPCNFSDARGS... PASS
Checking nfs-secure-server service is started... PASS
Checking nfs-server service is enabled... PASS
Checking /securenfs directory exists... PASS
Checking for correct /etc/exports file... PASS
Checking if the server knows about the exported directory... PASS

Overall result: PASS
Congratulations! You've passed all requirements.
[root@desktop0 ~]# lab nfskrb5 grade
Grading exercise Kerberos NFS...
Checking correct krb5.keytab exists... PASS
Checking nfs-secure service is started... PASS
Checking nfs-secure service is enabled... PASS
Checking /mnt/secureshare directory exists...PASS
Checking for correct /etc/fstab entry for the secure export...PASS
Checking for mounted nfs share ...PASS

Overall result: PASS
Congratulations! You've passed all requirements

  


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Linux:krb5 Linux 解決krb5p安全驗證開機無法掛載問題 freeNAS nfs linux掛載 Linux NFS掛載 linux NFS 自動掛載 linux nfs服務配置掛載以及oracle使用nfs存儲掛載注意事項 linux如何使用NFS掛載文件系統 linux下使用NFS掛載文件系統 linux nfs遠程掛載和卸載 linux nfs掛載失敗案例
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM