linux的krb5文件放哪里,Linux nfs使用krb5的方式安全挂载

配置安全的网络nfs文件共享服务

由于本人是使用的rhce模拟考试环境来做的本题目,所以文中说到的实验脚本和评分脚本,以及krb5.keytab文件只有我本套环境独有,如果自己做练习可以不去使用实验脚本和评分脚本,直接进行配置服务并挂载就可以。

对此套环境有兴趣的朋友可以给我留言,看到必回复。

1、首先

服务端(server0)和客户端(desktop0)执行实验脚本

[root@server0 ~]# lab nfskrb5 setup

[root@desktop0 ~]# lab nfskrb5 setup

2、配置服务端(server0)

2.1 下载kerberos秘钥

[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab

--2019-04-16 22:51:45-- http://classroom.example.com/pub/keytabs/server0.keytab

Resolving classroom.example.com (classroom.example.com)... 172.25.254.254

Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1242 (1.2K)

Saving to: ‘/etc/krb5.keytab’

100%[==============================================================================>] 1,242 --.-K/s in 0s

2019-04-16 22:51:45 (130 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]

2.2 修改nfs配置文件

[root@server0 ~]# vim /etc/sysconfig/nfs

...

RPCNFSDARGS="-V 4.2"

...

使用4.2版本,nfs挂载的时候可以将selinux安全上下文同时导出

2.3 启动nfs-secure-server服务并设置开机自动启动

[root@server0 ~]# systemctl start nfs-secure-server

[root@server0 ~]# systemctl enable nfs-secure-server

ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'

[root@server0 ~]#

2.4 创建共享文件夹并且将文件夹写入/etc/exportfs文件中

[root@server0 ~]# mkdir /securenfs

[root@server0 ~]# chown nfsnobody /securenfs/

[root@server0 ~]# ll -d !$

ll -d /securenfs/

drwxr-xr-x. 2 nfsnobody root 6 Apr 16 22:57 /securenfs/

[root@server0 ~]# vim /etc/exports

...

/securenfs desktop0(sec=krb5p,rw)

...

[root@server0 ~]# exportfs -r

[root@server0 ~]# exportfs

/securenfs desktop0.example.com

2.5 配置防火墙

[root@server0 ~]# firewall-cmd --permanent --add-service=nfs

success

[root@server0 ~]# firewall-cmd --reload

success

[root@server0 ~]# firewall-cmd --list-all

public (default, active)

interfaces: eth0

sources:

services: dhcpv6-client nfs ssh

ports:

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

3、配置客户端(dekstop0)

3.1 下载秘钥文件

[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

3.2 启动nfs-secure 服务并开机自启动

[root@desktop0 ~]# systemctl enable nfs-secure

ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'

[root@desktop0 ~]# systemctl start nfs-secure

3.3 创建挂载点并设定开机自动挂载

[root@desktop0 ~]# mkdir /mnt/secureshare

[root@desktop0 ~]# vim /etc/fstab

server0:/securenfs /mnt/secureshare nfs defaults,rw,v4.2,sec=krb5p 0 0

4、测试

4.1 在server0上建立测试文件

[root@server0 ~]# echo "Hello World" >> /securenfs/testfile.txt

临时更改该文件的selinux安全上下文,更改文件的拥有者和权限

[root@server0 ~]# chcon -t public_content_t /securenfs/testfile.txt

[root@server0 ~]# chown ldapuser0:ldapuser0 /securenfs/testfile.txt

[root@server0 ~]# chmod 644 /securenfs/testfile.txt

[root@server0 ~]# ll -Z !$

ll -Z /securenfs/testfile.txt

-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /securenfs/testfile.txt

[root@server0 ~]#

4.2 desktop0查看该文件

因为前边加了-V 4.2的参数,所以public_content_t这个规则也被挂载过来来了

[root@desktop0 ~]# ll -Z /mnt/secureshare/testfile.txt

-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /mnt/secureshare/testfile.txt

[root@desktop0 ~]#

4.3用ldapuser0用户测试向该文件写入内容

[root@desktop0 ~]# ssh ldapuser0@localhost

ldapuser0@localhost's password:

Creating home directory for ldapuser0.

[ldapuser0@desktop0 ~]$ echo "I'm write" >> /mnt/secureshare/testfile.txt

[ldapuser0@desktop0 ~]$ cat !$

cat /mnt/secureshare/testfile.txt

Hello World

I'm write

[ldapuser0@desktop0 ~]$

用管理员用户写入无法写入该文件

[root@desktop0 ~]# echo "test" >> /mnt/secureshare/testfile.txt

-bash: /mnt/secureshare/testfile.txt: Permission denied

[root@desktop0 ~]#

因为当前是用kerberos安全认证

5、提交评分脚本

[root@server0 ~]# lab nfskrb5 grade

Grading Kerberos NFS...

Checking correct krb5.keytab exists... PASS

Checking for correct RPCNFSDARGS... PASS

Checking nfs-secure-server service is started... PASS

Checking nfs-server service is enabled... PASS

Checking /securenfs directory exists... PASS

Checking for correct /etc/exports file... PASS

Checking if the server knows about the exported directory... PASS

Overall result: PASS

Congratulations! You've passed all requirements.

[root@desktop0 ~]# lab nfskrb5 grade

Grading exercise Kerberos NFS...

Checking correct krb5.keytab exists... PASS

Checking nfs-secure service is started... PASS

Checking nfs-secure service is enabled... PASS

Checking /mnt/secureshare directory exists...PASS

Checking for correct /etc/fstab entry for the secure export...PASS

Checking for mounted nfs share ...PASS

Overall result: PASS

Congratulations! You've passed all requirements

标签:krb5,...,desktop0,PASS,server0,nfs,Linux,root

来源: https://www.cnblogs.com/despotic/p/10720950.html

  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值