Centos

為什麼 mount 命令中不需要’-o sec=krb5p’?

  • September 5, 2017

我在 Centos 7 上有一個 nfs 伺服器,它在 /etc/exports 文件中:

/export *(rw,sec=krb5p)

當我發出此命令時,它按預期成功安裝:

mount -t nfs -o sec=krb5p server.example.com:/export /mnt/export

它還響應此命令成功安裝:

mount -t nfs server.example.com:/export /mnt/export

在這兩種情況下,執行都findmnt顯示正在使用 sec=krb5p 選項。在第二種情況下,該命令是否存在隱藏預設值mount,或者客戶端是否與 nfs 伺服器通信並發現 sec=krb5p 是唯一允許的選項?

RHEL/CentOS 7:預設為 AUTH_SYS。

來自RHEL 7 文件

sec=mode
   Its default setting is sec=sys, which uses local UNIX UIDs and GIDs. These use
       AUTH_SYS to authenticate NFS operations."
   sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to 
       authenticate users.
   sec=krb5i uses Kerberos V5 for user authentication and performs integrity
       checking of NFS operations using secure checksums to prevent
       data tampering.
   sec=krb5p uses Kerberos V5 for user authentication, integrity checking,
       and encrypts NFS traffic to prevent traffic sniffing. This is the most
       secure setting, but it also involves the most performance overhead.

Ubuntu 16.04:已協商。

來自man nfs

sec=flavor
   The security flavor to use for accessing files  on  this
   mount  point.   If the server does not support this fla‐
   vor, the mount operation fails.  If sec= is  not  speci‐
   fied, the client attempts to find a security flavor that
   both the client and the server supports.  Valid  flavors
   are  none,  sys,  krb5,  krb5i, and krb5p.  Refer to the
   SECURITY CONSIDERATIONS section for details.

OSX 10.12:已協商。

來自man mount_nfs

sec=<mechanism>
   Force a specific security mechanism to be used for the mount,
   where mechanism is one of: krb5p, krb5i, krb5, or sys.  When this
   option is not given the security mechanism will be negotiated
   transparently with the remote server.

引用自:https://serverfault.com/questions/871899