配置安全的网络nfs文件共享服务
由于本人是使用的rhce模拟考试环境来做的本题目,所以文中说到的实验脚本和评分脚本,以及krb5.keytab文件只有我本套环境独有,如果自己做练习可以不去使用实验脚本和评分脚本,直接进行配置服务并挂载就可以。
对此套环境有兴趣的朋友可以给我留言,看到必回复。
1、首先
服务端(server0)和客户端(desktop0)执行实验脚本
[root@server0 ~]# lab nfskrb5 setup
[root@desktop0 ~]# lab nfskrb5 setup
2、配置服务端(server0)
2.1 下载kerberos秘钥
[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
---- ::-- http://classroom.example.com/pub/keytabs/server0.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:... connected.
HTTP request sent, awaiting response... OK
Length: (.2K)
Saving to: ‘/etc/krb5.keytab’ %[==============================================================================>] , --.-K/s in 0s -- :: ( MB/s) - ‘/etc/krb5.keytab’ saved [/]
2.2 修改nfs配置文件
[root@server0 ~]# vim /etc/sysconfig/nfs
...
RPCNFSDARGS="-V 4.2"
...
使用4.2版本,nfs挂载的时候可以将selinux安全上下文同时导出
2.3 启动nfs-secure-server服务并设置开机自动启动
[root@server0 ~]# systemctl start nfs-secure-server
[root@server0 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server0 ~]#
2.4 创建共享文件夹并且将文件夹写入/etc/exportfs文件中
[root@server0 ~]# mkdir /securenfs
[root@server0 ~]# chown nfsnobody /securenfs/
[root@server0 ~]# ll -d !$
ll -d /securenfs/
drwxr-xr-x. nfsnobody root Apr : /securenfs/ [root@server0 ~]# vim /etc/exports
...
/securenfs desktop0(sec=krb5p,rw)
... [root@server0 ~]# exportfs -r
[root@server0 ~]# exportfs
/securenfs desktop0.example.com
2.5 配置防火墙
[root@server0 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client nfs ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
3、配置客户端(dekstop0)
3.1 下载秘钥文件
[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
3.2 启动nfs-secure 服务并开机自启动
[root@desktop0 ~]# systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop0 ~]# systemctl start nfs-secure
3.3 创建挂载点并设定开机自动挂载
[root@desktop0 ~]# mkdir /mnt/secureshare
[root@desktop0 ~]# vim /etc/fstab server0:/securenfs /mnt/secureshare nfs defaults,rw,v4.,sec=krb5p
4、测试
4.1 在server0上建立测试文件
[root@server0 ~]# echo "Hello World" >> /securenfs/testfile.txt
临时更改该文件的selinux安全上下文,更改文件的拥有者和权限
[root@server0 ~]# chcon -t public_content_t /securenfs/testfile.txt
[root@server0 ~]# chown ldapuser0:ldapuser0 /securenfs/testfile.txt
[root@server0 ~]# chmod /securenfs/testfile.txt
[root@server0 ~]# ll -Z !$
ll -Z /securenfs/testfile.txt
-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /securenfs/testfile.txt
[root@server0 ~]#
4.2 desktop0查看该文件
因为前边加了-V 4.2的参数,所以public_content_t这个规则也被挂载过来来了
[root@desktop0 ~]# ll -Z /mnt/secureshare/testfile.txt
-rw-r--r--. ldapuser0 ldapuser0 unconfined_u:object_r:public_content_t:s0 /mnt/secureshare/testfile.txt
[root@desktop0 ~]#
4.3用ldapuser0用户测试向该文件写入内容
[root@desktop0 ~]# ssh ldapuser0@localhost
ldapuser0@localhost's password:
Creating home directory for ldapuser0.
[ldapuser0@desktop0 ~]$ echo "I'm write" >> /mnt/secureshare/testfile.txt
[ldapuser0@desktop0 ~]$ cat !$
cat /mnt/secureshare/testfile.txt
Hello World
I'm write
[ldapuser0@desktop0 ~]$
用管理员用户写入无法写入该文件
[root@desktop0 ~]# echo "test" >> /mnt/secureshare/testfile.txt
-bash: /mnt/secureshare/testfile.txt: Permission denied
[root@desktop0 ~]#
因为当前是用kerberos安全认证
5、提交评分脚本
[root@server0 ~]# lab nfskrb5 grade
Grading Kerberos NFS...
Checking correct krb5.keytab exists... PASS
Checking for correct RPCNFSDARGS... PASS
Checking nfs-secure-server service is started... PASS
Checking nfs-server service is enabled... PASS
Checking /securenfs directory exists... PASS
Checking for correct /etc/exports file... PASS
Checking if the server knows about the exported directory... PASS Overall result: PASS
Congratulations! You've passed all requirements.
[root@desktop0 ~]# lab nfskrb5 grade
Grading exercise Kerberos NFS...
Checking correct krb5.keytab exists... PASS
Checking nfs-secure service is started... PASS
Checking nfs-secure service is enabled... PASS
Checking /mnt/secureshare directory exists...PASS
Checking for correct /etc/fstab entry for the secure export...PASS
Checking for mounted nfs share ...PASS Overall result: PASS
Congratulations! You've passed all requirements