在/ etc / exports文件中,我在Centos 7上有一个nfs服务器:
/export *(rw,sec=krb5p)
当我发出这个命令时,如预期的那样,它成功挂载:
mount -t nfs -o sec=krb5p server.example.com:/export /mnt/export
它也成功挂载以响应此命令:
mount -t nfs server.example.com:/export /mnt/export
在这两种情况下,运行findmnt显示正在使用sec = krb5p选项。 在第二种情况下, mount命令是否有隐藏的默认值,或者客户端是否与nfs服务器通信,发现sec = krb5p是唯一允许的选项?
从RHEL 7文档 :
sec=mode Its default setting is sec=sys, which uses local UNIX UIDs and GIDs. These use AUTH_SYS to authenticate NFS operations." sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users. sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering. sec=krb5p uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also involves the most performance overhead.
从man nfs :
sec=flavor The security flavor to use for accessing files on this mount point. If the server does not support this fla‐ vor, the mount operation fails. If sec= is not speci‐ fied, the client attempts to find a security flavor that both the client and the server supports. Valid flavors are none, sys, krb5, krb5i, and krb5p. Refer to the SECURITY CONSIDERATIONS section for details.
从man mount_nfs :
sec=<mechanism> Force a specific security mechanism to be used for the mount, where mechanism is one of: krb5p, krb5i, krb5, or sys. When this option is not given the security mechanism will be negotiated transparently with the remote server.