Linux nfs使用krb5的方式安全挂载
发布时间:2020-12-14 01:35:03 所属栏目:Linux 来源:网络整理
导读:配置安全的网络nfs文件共享服务 由于本人是使用的rhce模拟考试环境来做的本题目,所以文中说到的实验脚本和评分脚本,以及krb5.keytab文件只有我本套环境独有,如果自己做练习可以不去使用实验脚本和评分脚本,直接进行配置服务并挂载就可以。 对此套环境有
配置安全的网络nfs文件共享服务由于本人是使用的rhce模拟考试环境来做的本题目,所以文中说到的实验脚本和评分脚本,以及krb5.keytab文件只有我本套环境独有,如果自己做练习可以不去使用实验脚本和评分脚本,直接进行配置服务并挂载就可以。 对此套环境有兴趣的朋友可以给我留言,看到必回复。 1、首先服务端(server0)和客户端(desktop0)执行实验脚本 [[email?protected] ~]# lab nfskrb5 setup
[[email?protected] ~]# lab nfskrb5 setup
2、配置服务端(server0)2.1 下载kerberos秘钥[[email?protected] ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab --2019-04-16 22:51:45-- http://classroom.example.com/pub/keytabs/server0.keytab Resolving classroom.example.com (classroom.example.com)... 172.25.254.254 Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected. HTTP request sent,awaiting response... 200 OK Length: 1242 (1.2K) Saving to: ‘/etc/krb5.keytab’ 100%[==============================================================================>] 1,242 --.-K/s in 0s 2019-04-16 22:51:45 (130 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242] ? 2.2 修改nfs配置文件[[email?protected] ~]# vim /etc/sysconfig/nfs ... RPCNFSDARGS="-V 4.2" ... ? 使用4.2版本,nfs挂载的时候可以将selinux安全上下文同时导出 2.3 启动nfs-secure-server服务并设置开机自动启动[[email?protected] ~]# systemctl start nfs-secure-server [[email?protected] ~]# systemctl enable nfs-secure-server ln -s ‘/usr/lib/systemd/system/nfs-secure-server.service‘ ‘/etc/systemd/system/nfs.target.wants/nfs-secure-server.service‘ [[email?protected] ~]# ? 2.4 创建共享文件夹并且将文件夹写入/etc/exportfs文件中[[email?protected] ~]# mkdir /securenfs [[email?protected] ~]# chown nfsnobody /securenfs/ [[email?protected] ~]# ll -d !$ ll -d /securenfs/ drwxr-xr-x. 2 nfsnobody root 6 Apr 16 22:57 /securenfs/ [[email?protected] ~]# vim /etc/exports ... /securenfs desktop0(sec=krb5p,rw) ... [[email?protected] ~]# exportfs -r [[email?protected] ~]# exportfs /securenfs desktop0.example.com ? 2.5 配置防火墙[[email?protected] ~]# firewall-cmd --permanent --add-service=nfs success [[email?protected] ~]# firewall-cmd --reload success [[email?protected] ~]# firewall-cmd --list-all public (default,active) interfaces: eth0 sources: services: dhcpv6-client nfs ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: ? 3、配置客户端(dekstop0)3.1 下载秘钥文件[[email?protected] ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab ? 3.2 启动nfs-secure 服务并开机自启动[[email?protected] ~]# systemctl enable nfs-secure ln -s ‘/usr/lib/systemd/system/nfs-secure.service‘ ‘/etc/systemd/system/nfs.target.wants/nfs-secure.service‘ [[email?protected] ~]# systemctl start nfs-secure ? 3.3 创建挂载点并设定开机自动挂载[[email?protected] ~]# mkdir /mnt/secureshare [[email?protected] ~]# vim /etc/fstab server0:/securenfs /mnt/secureshare nfs defaults,rw,v4.2,sec=krb5p 0 0 ? 4、测试4.1 在server0上建立测试文件[[email?protected] ~]# echo "Hello World" >> /securenfs/testfile.txt 临时更改该文件的selinux安全上下文,更改文件的拥有者和权限 [[email?protected] ~]# chcon -t public_content_t /securenfs/testfile.txt [[email?protected] ~]# chown ldapuser0:ldapuser0 /securenfs/testfile.txt [[email?protected] ~]# chmod 644 /securenfs/testfile.txt [[email?protected] ~]# ll -Z !$ ll -Z /securenfs/testfile.txt -rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /securenfs/testfile.txt [[email?protected] ~]# ? 4.2 desktop0查看该文件因为前边加了-V 4.2的参数,所以public_content_t这个规则也被挂载过来来了 [[email?protected] ~]# ll -Z /mnt/secureshare/testfile.txt -rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /mnt/secureshare/testfile.txt [[email?protected] ~]# ? 4.3用ldapuser0用户测试向该文件写入内容[[email?protected] ~]# ssh [email?protected] [email?protected]‘s password: Creating home directory for ldapuser0. [ldapuse[email?protected] ~]$ echo "I‘m write" >> /mnt/secureshare/testfile.txt [[email?protected] ~]$ cat !$ cat /mnt/secureshare/testfile.txt Hello World I‘m write [[email?protected] ~]$ ? 用管理员用户写入无法写入该文件 [[email?protected] ~]# echo "test" >> /mnt/secureshare/testfile.txt -bash: /mnt/secureshare/testfile.txt: Permission denied [[email?protected] ~]# ? 因为当前是用kerberos安全认证 5、提交评分脚本[[email?protected] ~]# lab nfskrb5 grade Grading Kerberos NFS... Checking correct krb5.keytab exists... PASS Checking for correct RPCNFSDARGS... PASS Checking nfs-secure-server service is started... PASS Checking nfs-server service is enabled... PASS Checking /securenfs directory exists... PASS Checking for correct /etc/exports file... PASS Checking if the server knows about the exported directory... PASS Overall result: PASS Congratulations! You‘ve passed all requirements. [[email?protected] ~]# lab nfskrb5 grade Grading exercise Kerberos NFS... Checking correct krb5.keytab exists... PASS Checking nfs-secure service is started... PASS Checking nfs-secure service is enabled... PASS Checking /mnt/secureshare directory exists...PASS Checking for correct /etc/fstab entry for the secure export...PASS Checking for mounted nfs share ...PASS Overall result: PASS Congratulations! You‘ve passed all requirements (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |