我在Centos 7上有一个nfs服务器,在/ etc / exports文件中有这个:
/ export *(rw,sec = krb5p)
/ export *(rw,sec = krb5p)
当我发出此命令时,它按预期成功安装:
mount -t nfs -o sec = krb5p server.example.com:/export / mnt / export
它还成功安装以响应此命令:
mount -t nfs server.example.com:/export / mnt / export
在这两种情况下,运行findmnt都会显示正在使用sec = krb5p选项.在第二种情况下,mount命令是否有隐藏的默认值,或者客户端是否与nfs服务器通信并发现sec = krb5p是唯一允许的选项?
RHEL / CentOS 7:默认为AUTH_SYS.
原文链接:https://www.f2er.com/centos/373423.htmlsec=mode
Its default setting is sec=sys,which uses local UNIX UIDs and GIDs. These use
AUTH_SYS to authenticate NFS operations."
sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to
authenticate users.
sec=krb5i uses Kerberos V5 for user authentication and performs integrity
checking of NFS operations using secure checksums to prevent
data tampering.
sec=krb5p uses Kerberos V5 for user authentication,integrity checking,and encrypts NFS traffic to prevent traffic sniffing. This is the most
secure setting,but it also involves the most performance overhead.
Ubuntu 16.04:谈判.
来自man nfs:
sec=flavor
The security flavor to use for accessing files on this
mount point. If the server does not support this fla‐
vor,the mount operation fails. If sec= is not speci‐
fied,the client attempts to find a security flavor that
both the client and the server supports. Valid flavors
are none,sys,krb5,krb5i,and krb5p. Refer to the
SECURITY CONSIDERATIONS section for details.
OSX 10.12:谈判.
来自man mount_nfs:
sec=<mechanism>
Force a specific security mechanism to be used for the mount,where mechanism is one of: krb5p,or sys. When this
option is not given the security mechanism will be negotiated
transparently with the remote server.
