为什么 mount 命令中不需要 '-o sec=krb5p'？

Question

RHEL/CentOS 7：默认为 AUTH_SYS。

sec=mode
    Its default setting is sec=sys, which uses local UNIX UIDs and GIDs. These use
        AUTH_SYS to authenticate NFS operations."
    sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to 
        authenticate users.
    sec=krb5i uses Kerberos V5 for user authentication and performs integrity
        checking of NFS operations using secure checksums to prevent
        data tampering.
    sec=krb5p uses Kerberos V5 for user authentication, integrity checking,
        and encrypts NFS traffic to prevent traffic sniffing. This is the most
        secure setting, but it also involves the most performance overhead.

Ubuntu 16.04：已协商。

从man nfs：

sec=flavor
    The security flavor to use for accessing files  on  this
    mount  point.   If the server does not support this fla‐
    vor, the mount operation fails.  If sec= is  not  speci‐
    fied, the client attempts to find a security flavor that
    both the client and the server supports.  Valid  flavors
    are  none,  sys,  krb5,  krb5i, and krb5p.  Refer to the
    SECURITY CONSIDERATIONS section for details.

OSX 10.12：已协商。

从man mount_nfs：

sec=<mechanism>
    Force a specific security mechanism to be used for the mount,
    where mechanism is one of: krb5p, krb5i, krb5, or sys.  When this
    option is not given the security mechanism will be negotiated
    transparently with the remote server.

Answer 1

RHEL/CentOS 7：默认为 AUTH_SYS。

从RHEL 7 文档：

sec=mode
    Its default setting is sec=sys, which uses local UNIX UIDs and GIDs. These use
        AUTH_SYS to authenticate NFS operations."
    sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to 
        authenticate users.
    sec=krb5i uses Kerberos V5 for user authentication and performs integrity
        checking of NFS operations using secure checksums to prevent
        data tampering.
    sec=krb5p uses Kerberos V5 for user authentication, integrity checking,
        and encrypts NFS traffic to prevent traffic sniffing. This is the most
        secure setting, but it also involves the most performance overhead.

Ubuntu 16.04：已协商。

从man nfs：

sec=flavor
    The security flavor to use for accessing files  on  this
    mount  point.   If the server does not support this fla‐
    vor, the mount operation fails.  If sec= is  not  speci‐
    fied, the client attempts to find a security flavor that
    both the client and the server supports.  Valid  flavors
    are  none,  sys,  krb5,  krb5i, and krb5p.  Refer to the
    SECURITY CONSIDERATIONS section for details.

OSX 10.12：已协商。

从man mount_nfs：

sec=<mechanism>
    Force a specific security mechanism to be used for the mount,
    where mechanism is one of: krb5p, krb5i, krb5, or sys.  When this
    option is not given the security mechanism will be negotiated
    transparently with the remote server.

为什么 mount 命令中不需要 '-o sec=krb5p'？

答案1

RHEL/CentOS 7：默认为 AUTH_SYS。

Ubuntu 16.04：已协商。

OSX 10.12：已协商。

相关内容