版权声明:转载请附上链接 https://blog.csdn.net/qq_37684859/article/details/87870594
案例:安全NFS共享的实现
-
本例要求在虚拟机 server0 上配置安全NFS服务,完成以下任务:
-
1.访问 /protected 需 kerberos 加密,密钥地址:http://classroom/pub/keytabs/server0.keytab-
-
2 目录 /protected 下包含名为 project 的子目录
然后在虚拟机 desktop0 上访问NFS共享目录 -
1挂载 /mnt/nfssecure 需 kerberos加密,密钥地址:http://classroom/pub/keytabs/desktop0.keytab
-
2 用户 ldapuser0 能够在 /mnt/nfssecure/project 目录下创建文件,其密码为 kerberos
-server0 主机操作
教学环境虚拟机按以下操作处理。
- 1)初始化server0
[root@server0 ~]# lab nfskrb5 setup #教学机提前写好脚本
Installing packages ...
Updating authconfig for ldap & krb5 ...
SUCCESS
- 2)为server0下载及部署密钥
[root@server0 ~]# wget http://classroom/pub/keytabs/server0.keytab -O /etc/krb5.keytab
.. ..
2016-11-27 04:26:38 (83.7 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]
[root@server0 ~]# file /etc/krb5.keytab #检查部署结果
/etc/krb5.keytab: data
– 3)创建指定的子目录
[root@server0 ~]# mkdir /protected/project
[root@server0 ~]# chown ldapuser0 /protected/project
- 4)调整共享目录的安全控制类型,配置文件
[root@server0 ~]# vim /etc/exports
/public 172.25.0.0/24(ro)
/protected 172.25.0.0/24(rw,sec=krb5p) #指定安全类型
- 5)重启系统服务nfs-server、nfs-secure-server,设置开机自启
[root@server0 ~]# systemctl restart nfs-server nfs-secure-server
[root@server0 ~]# systemctl enable nfs-server nfs-secure-server
ldapuser0 客户机操作
- 1)初始化desktop0
[root@desktop0 ~]# lab nfskrb5 setup
Installing packages ...
Updating authconfig for ldap & krb5 ...
SUCCESS
- 2)为desktop0下载及部署密钥
[root@desktop0 ~]# wget http://classroom/pub/keytabs/desktop0.keytab -O /etc/krb5.keytab
.. ..
2016-11-27 04:27:25 (68.4 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]
[root@desktop0 ~]# file /etc/krb5.keytab //检查部署结果
/etc/krb5.keytab: data
- 3)创建挂载点
[root@desktop0 ~]# mkdir /mnt/nfssecure
- 4)启动系统服务nfs-secure,并配置开机自启
[root@desktop0 ~]# systemctl restart nfs-secure
[root@desktop0 ~]# systemctl enable nfs-secure
- 5)配置开机挂载安全NFS共享
[root@desktop0 ~]# vim /etc/fstab
server0.example.com:/public /mnt/nfsmount nfs _netdev 0 0
server0.example.com:/protected /mnt/nfssecure nfs sec=krb5p,_netdev 0 0
- 6)验证挂载配置
[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -hT /mnt/nfs*
Filesystem Type Size Used Avail Use% Mounted on
server0.example.com:/public nfs4 10G 3.3G 6.8G 33% /mnt/nfsmount
server0.example.com:/protected nfs4 10G 3.3G 6.8G 33% /mnt/nfssecure
- 7)测试对挂载点的写入权限
以用户ldapuser0通过SSH的方式登入desktop0,验证密码(kerberos)以获取通行证:
[root@desktop0 ~]# ssh ldapuser0@desktop0.example.com
ldapuser0@desktop0.example.com's password: //输入密码kerberos
[ldapuser0@desktop0 ~]$ touch /mnt/nfssecure/project/a.txt
[ldapuser0@desktop0 ~]$ ls -lh /mnt/nfssecure/project/a.txt
-rw-rw-r--. 1 ldapuser0 ldapuser0 0 Nov 27 04:43 /mnt/nfssecure/project/a.txt