• Linux nfs使用krb5的方式安全挂载


    配置安全的网络nfs文件共享服务

    由于本人是使用的rhce模拟考试环境来做的本题目,所以文中说到的实验脚本和评分脚本,以及krb5.keytab文件只有我本套环境独有,如果自己做练习可以不去使用实验脚本和评分脚本,直接进行配置服务并挂载就可以。

    对此套环境有兴趣的朋友可以给我留言,看到必回复。

    1、首先

    服务端(server0)和客户端(desktop0)执行实验脚本

    [root@server0 ~]# lab nfskrb5 setup
    [root@desktop0 ~]# lab nfskrb5 setup

    2、配置服务端(server0)

    2.1 下载kerberos秘钥

    [root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
    --2019-04-16 22:51:45--  http://classroom.example.com/pub/keytabs/server0.keytab
    Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
    Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1242 (1.2K)
    Saving to: ‘/etc/krb5.keytab’
    
    100%[==============================================================================>] 1,242       --.-K/s   in 0s      
    
    2019-04-16 22:51:45 (130 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]

    2.2 修改nfs配置文件

    [root@server0 ~]# vim /etc/sysconfig/nfs 
    ...
    RPCNFSDARGS="-V 4.2"
    ...

    使用4.2版本,nfs挂载的时候可以将selinux安全上下文同时导出

    2.3 启动nfs-secure-server服务并设置开机自动启动

    [root@server0 ~]# systemctl start nfs-secure-server
    [root@server0 ~]# systemctl enable nfs-secure-server
    ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
    [root@server0 ~]#

    2.4 创建共享文件夹并且将文件夹写入/etc/exportfs文件中

    [root@server0 ~]# mkdir /securenfs
    [root@server0 ~]# chown nfsnobody /securenfs/
    [root@server0 ~]# ll -d !$
    ll -d /securenfs/
    drwxr-xr-x. 2 nfsnobody root 6 Apr 16 22:57 /securenfs/
    
    [root@server0 ~]# vim /etc/exports
    ...
    /securenfs desktop0(sec=krb5p,rw)
    ...
    
    [root@server0 ~]# exportfs -r
    [root@server0 ~]# exportfs 
    /securenfs        desktop0.example.com

    2.5 配置防火墙

    [root@server0 ~]# firewall-cmd --permanent --add-service=nfs
    success
    [root@server0 ~]# firewall-cmd --reload
    success
    [root@server0 ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: eth0
      sources: 
      services: dhcpv6-client nfs ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules:

    3、配置客户端(dekstop0)

    3.1 下载秘钥文件

    [root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

    3.2 启动nfs-secure 服务并开机自启动

    [root@desktop0 ~]# systemctl enable nfs-secure
    ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
    [root@desktop0 ~]# systemctl start nfs-secure

    3.3 创建挂载点并设定开机自动挂载

    [root@desktop0 ~]# mkdir /mnt/secureshare
    [root@desktop0 ~]# vim /etc/fstab 
    
    server0:/securenfs /mnt/secureshare     nfs     defaults,rw,v4.2,sec=krb5p      0       0

    4、测试

    4.1 在server0上建立测试文件

    [root@server0 ~]# echo "Hello World" >> /securenfs/testfile.txt
    临时更改该文件的selinux安全上下文,更改文件的拥有者和权限
    [root@server0 ~]# chcon -t public_content_t /securenfs/testfile.txt 
    [root@server0 ~]# chown ldapuser0:ldapuser0 /securenfs/testfile.txt 
    [root@server0 ~]# chmod 644 /securenfs/testfile.txt 
    [root@server0 ~]# ll -Z !$
    ll -Z /securenfs/testfile.txt
    -rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /securenfs/testfile.txt
    [root@server0 ~]# 

    4.2 desktop0查看该文件

    因为前边加了-V 4.2的参数,所以public_content_t这个规则也被挂载过来来了

    [root@desktop0 ~]# ll -Z /mnt/secureshare/testfile.txt 
    -rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /mnt/secureshare/testfile.txt
    [root@desktop0 ~]#

    4.3用ldapuser0用户测试向该文件写入内容

    [root@desktop0 ~]# ssh ldapuser0@localhost
    ldapuser0@localhost's password: 
    Creating home directory for ldapuser0.
    [ldapuser0@desktop0 ~]$ echo "I'm write" >> /mnt/secureshare/testfile.txt 
    [ldapuser0@desktop0 ~]$ cat !$
    cat /mnt/secureshare/testfile.txt
    Hello World
    I'm write
    [ldapuser0@desktop0 ~]$

    用管理员用户写入无法写入该文件

    [root@desktop0 ~]# echo "test" >> /mnt/secureshare/testfile.txt 
    -bash: /mnt/secureshare/testfile.txt: Permission denied
    [root@desktop0 ~]#

    因为当前是用kerberos安全认证

    5、提交评分脚本

    [root@server0 ~]# lab nfskrb5 grade
    Grading Kerberos NFS...
    Checking correct krb5.keytab exists... PASS
    Checking for correct RPCNFSDARGS... PASS
    Checking nfs-secure-server service is started... PASS
    Checking nfs-server service is enabled... PASS
    Checking /securenfs directory exists... PASS
    Checking for correct /etc/exports file... PASS
    Checking if the server knows about the exported directory... PASS
    
    Overall result: PASS
    Congratulations! You've passed all requirements.
    [root@desktop0 ~]# lab nfskrb5 grade
    Grading exercise Kerberos NFS...
    Checking correct krb5.keytab exists... PASS
    Checking nfs-secure service is started... PASS
    Checking nfs-secure service is enabled... PASS
    Checking /mnt/secureshare directory exists...PASS
    Checking for correct /etc/fstab entry for the secure export...PASS
    Checking for mounted nfs share ...PASS
    
    Overall result: PASS
    Congratulations! You've passed all requirements
    

      

  • 相关阅读:
    int 和 Integer 有什么区别
    Exception、Error、运行时异常与一般异常有何异同
    Redis存储系统
    MySpring-06.基于XML的IOC的案例
    Spring MVC技术之【上机】
    MySpring-05.基于XML的IOC的案例1
    MySpring-04.Spring的常用注解
    MySpring-03.Spring的 IOC 和 DI
    MySpring-02.程序间耦合
    Spring框架之【上机】
  • 原文地址:https://www.cnblogs.com/despotic/p/10720950.html
Copyright © 2020-2023  润新知