我在Centos 7上有一个nfs服务器,在/ etc / exports文件中有这个:
/ export *(rw,sec = krb5p)
/ export *(rw,sec = krb5p)
当我发出此命令时,它按预期成功安装:
mount -t nfs -o sec = krb5p server.example.com:/export / mnt / export
它还成功安装以响应此命令:
mount -t nfs server.example.com:/export / mnt / export
在这两种情况下,运行findmnt都会显示正在使用sec = krb5p选项.在第二种情况下,mount命令是否有隐藏的默认值,或者客户端是否与nfs服务器通信并发现sec = krb5p是唯一允许的选项?
RHEL / CentOS 7:默认为AUTH_SYS.
sec=mode Its default setting is sec=sys,which uses local UNIX UIDs and GIDs. These use AUTH_SYS to authenticate NFS operations." sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users. sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering. sec=krb5p uses Kerberos V5 for user authentication,integrity checking,and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting,but it also involves the most performance overhead.
Ubuntu 16.04:谈判.
来自man nfs:
sec=flavor The security flavor to use for accessing files on this mount point. If the server does not support this fla‐ vor,the mount operation fails. If sec= is not speci‐ fied,the client attempts to find a security flavor that both the client and the server supports. Valid flavors are none,sys,krb5,krb5i,and krb5p. Refer to the SECURITY CONSIDERATIONS section for details.
OSX 10.12:谈判.
来自man mount_nfs:
sec=<mechanism> Force a specific security mechanism to be used for the mount,where mechanism is one of: krb5p,or sys. When this option is not given the security mechanism will be negotiated transparently with the remote server.