CN113709100A - Shared file access control method, device, equipment and readable storage medium - Google Patents
Shared file access control method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113709100A CN113709100A CN202110806676.XA CN202110806676A CN113709100A CN 113709100 A CN113709100 A CN 113709100A CN 202110806676 A CN202110806676 A CN 202110806676A CN 113709100 A CN113709100 A CN 113709100A
- Authority
- CN
- China
- Prior art keywords
- client
- shared file
- real
- access
- nfs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000013519 translation Methods 0.000 claims abstract description 20
- 238000012795 verification Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000004883 computer application Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
Abstract
The application discloses a shared file access control method, a device, equipment and a readable storage medium, wherein the method comprises the following steps: receiving an NFS message sent by a client through a network address translation network; analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; wherein, a field corresponding to the real IP is added in the NFS message; judging whether the client has the right to access the shared file or not by using the real IP; if yes, allowing the client to access the shared file; and if not, prohibiting the client from accessing the shared file. The method and the device add the real IP corresponding field in the NFS message, so that the client can penetrate the NAT through the real IP, and the client can also access the NFS shared file when the NAT exists in the network of the client and the server.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for controlling access to a shared file.
Background
At a server of an NFS (Network File System), a client Network segment allowing access sharing needs to be set, and only a client within a configuration range can be mounted successfully and share access is performed.
However, when a Network Address Translation (NAT) Network exists in the Network of the client and the server, the real IP of the client is replaced in the NAT server, and then the client is affected to mount NFS sharing, that is, the client cannot access the corresponding shared file.
In summary, how to implement file sharing access under the NAT network is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide a shared file access control method, a device, equipment and a readable storage medium, and file sharing access is realized under an NAT network.
In order to solve the technical problem, the application provides the following technical scheme:
a shared file access control method, comprising:
receiving an NFS message sent by a client through a network address translation network;
analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; adding a field corresponding to the real IP in the NFS message;
judging whether the client has the right to access the shared file or not by using the real IP;
if so, allowing the client to access the shared file;
and if not, forbidding the client to access the shared file.
Preferably, analyzing the NFS packet, and determining the real IP of the client and the shared file requested to be accessed includes:
analyzing the NFS message, and determining a real IP ciphertext of the client and the shared file requested to be accessed;
and decrypting the real IP ciphertext to obtain the real IP.
Preferably, the determining whether the client has the right to access the shared file by using the real IP includes:
judging whether the real IP belongs to a client network segment corresponding to the shared file;
if so, determining that the client has the right to access the shared file;
if not, determining that the client does not have access to the shared file.
Preferably, after analyzing the NFS packet and determining the real IP of the client and the shared file requested to be accessed, before determining whether the client has the right to access the shared file by using the real IP, the method further includes:
sending random plaintext data to the client;
receiving ciphertext data fed back by the client and obtained by encrypting the random plaintext data by using a shared key;
verifying the validity of the ciphertext data by using the shared key;
and after the verification is passed, executing the step of judging whether the client has the right to access the shared file by utilizing the real IP.
Preferably, the method further comprises the following steps:
generating a random character string, and encrypting the random character string by using the shared secret key;
and sending the encrypted random character string to the client so that the client can use the random character string as a mark for successful authentication after decrypting the random character string.
Preferably, the determining whether the client has the right to access the shared file by using the real IP includes:
if the client has the mark of successful authentication, judging whether the real IP corresponds to the registered converted IP;
if so, determining that the client has the right to access the shared file.
Preferably, the method further comprises the following steps:
after reaching the authentication updating period, generating a new random character string, and encrypting the new random character string by using the shared secret key;
and sending the encrypted new random character string to the client, so that the client updates the mark of successful authentication by using the new random character string after decrypting the new random character string.
A shared file access control apparatus comprising:
the message receiving module is used for receiving an NFS message sent by a client through a network address translation network;
the message analysis module is used for analyzing the NFS message and determining the real IP of the client and the shared file which is requested to be accessed; adding a field corresponding to the real IP in the NFS message;
the authentication module is used for judging whether the client has the right to access the shared file by utilizing the real IP;
the access control module is used for allowing the client to access the shared file if the client has the right to access the shared file; and if the client does not have the right to access the shared file, forbidding the client to access the shared file.
An electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the shared file access control method when executing the computer program.
A readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the above-mentioned shared file access control method.
By applying the method provided by the embodiment of the application, the NFS message sent by the client by utilizing the network address translation network is received; analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; wherein, a field corresponding to the real IP is added in the NFS message; judging whether the client has the right to access the shared file or not by using the real IP; if yes, allowing the client to access the shared file; and if not, prohibiting the client from accessing the shared file.
In the application, firstly, the NFS message is improved to add a field corresponding to a real IP. Therefore, after receiving the NFS message sent by the client through the network address translation network, the real IP of the client and the shared file requested to be accessed can be obtained by analyzing the NFS message. It is determined whether the client has access to the shared file based on the true IP, and the client is allowed to access the shared file when it is determined that the client has access. That is to say, the real IP corresponding field is added in the NFS message, so that the client can penetrate the NAT through the real IP, and the client can also access the NFS shared file when the NAT exists in the network of the client and the server.
Accordingly, embodiments of the present application further provide a shared file access control device, an apparatus, and a readable storage medium corresponding to the shared file access control method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an implementation of a shared file access control method in an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a shared file access control apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart illustrating a shared file access control method according to an embodiment of the present application, where the method is specifically applicable to an NFS server (hereinafter, referred to as a server). The method comprises the following steps:
s101, receiving an NFS message sent by a client through a network address translation network.
The client is specifically a client corresponding to the NFS.
In the present application, the transmission network between the client and the server may be a network including network address translation. That is, based on the transmission mechanism of the network address translation network, the client sends the normal packet to the server, and the client IP carried in the normal packet is subjected to address mapping processing in the network address translation network, so that the IP address of the client in the packet received by the server is not the real IP of the client any more, but the IP address is mapped by the IP address. Since the IP is not a real IP, the server cannot perform client authentication for the IP, so that the client transmitting the packet through the network address translation cannot access the sharing in the NFS.
It should be noted that, in the embodiment of the present application, in order to enable a server to normally access a client that initiates a shared access by using a network address translation network, it is particularly proposed to add a field corresponding to a real IP of the client in an NFS message, that is, a field corresponding to the real IP is added in the NFS message in the embodiment. That is to say, in the embodiment of the present application, an additional field related to the real IP of the NFS message sent by the client to the server is added on the basis of the conventional NFS message. Therefore, even if the NFS message is subjected to the IP address mapping process corresponding to the network address translation network, the IP address mapping process is only performed on the conventional part of the NFS message, and the extra real IP field is not mapped and adjusted. That is, the NFS message received by the server still has a field corresponding to the real IP of the client.
Of course, in practical application, for convenience of parsing, a type description field may be added to the NFS message. That is, in the NFS message in the embodiment of the present application, a field corresponding to the real IP of the client and a field description field of the field corresponding to the real IP are added in comparison with the conventional NFS message. The length of the field corresponding to the real IP may be specifically 4 bytes, and of course, after being processed by encryption and the like, the length of the field corresponding to the real IP may be other specific lengths.
S102, analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed.
In this embodiment, the NFS message received by the server additionally has a field corresponding to the real IP of the client, compared with the conventional NFS message, so that the server analyzes the NFS message, and can determine not only the shared file requested to be accessed by the client, but also the real IP of the client.
It should be noted that, because a field corresponding to the real IP of the client is added in the NFS message, the NFS protocol for analyzing the NFS message also needs to be adaptively changed, if a field position corresponding to the real IP and a specific analysis method need to be defined, the specific implementation of the field position and the specific analysis method may specifically refer to the definition and analysis of the existing field in the NFS protocol, which is not described in detail herein.
And S103, judging whether the client has the right to access the shared file or not by using the real IP.
After the real IP of the client is obtained, whether the client has the right to access the shared file can be determined by using the real IP.
Since the true IP of the client can be determined, how to determine whether the client has the right to access the shared file can be referred to by the corresponding authentication method of the conventional client which is not subjected to NAT. The specific implementation process comprises the following steps:
step one, judging whether a real IP belongs to a client network segment corresponding to a shared file;
step two, if yes, determining that the client has the right to access the shared file;
and step three, if not, determining that the client does not have the right to access the shared file.
For convenience of description, the above three steps will be described in combination.
The client network segment for operating access sharing can be set in the server in advance, namely, only the client in the configuration range can be mounted successfully and share access is carried out. Of course, the Service end may also perform qos (Service Quality, specifically, the sum of characteristics and characteristics that the Service can satisfy regulations and potential requirements, and is the degree that the Service work can satisfy the requirements of the serviced person) selection according to the IP network segment of the client, so as to ensure that the Service with the changed priority has higher Service experience.
And determining whether the client has the right to access the shared file by judging whether the real IP is in the client network corresponding to the shared file. Specifically, if the real IP is in the client network corresponding to the shared file, it is determined that the client has the right to access the shared file; otherwise, the client is determined not to have access to the shared file.
After the judgment result of whether the client has the right to access the shared file is obtained, different subsequent steps can be executed based on different judgment results. Specifically, if the determination result is that the client has the right to access the shared file, step S104 is executed; if the determination result is that the client does not have access to the shared file, step S105 is executed.
And S104, allowing the client to access the shared file.
Specifically, the client is allowed to perform corresponding mount operation, and after the mount is successful, the access service of the shared file is provided for the client, so that the client can access the shared file.
And S105, prohibiting the client from accessing the shared file.
Specifically, the mount of the client may be prohibited, or even if the mount is successful, the access service of the shared file may not be provided to the client, so as to block the client from accessing the shared file.
By applying the method provided by the embodiment of the application, the NFS message sent by the client by utilizing the network address translation network is received; analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; wherein, a field corresponding to the real IP is added in the NFS message; judging whether the client has the right to access the shared file or not by using the real IP; if yes, allowing the client to access the shared file; and if not, prohibiting the client from accessing the shared file.
In the application, firstly, the NFS message is improved to add a field corresponding to a real IP. Therefore, after receiving the NFS message sent by the client through the network address translation network, the real IP of the client and the shared file requested to be accessed can be obtained by analyzing the NFS message. It is determined whether the client has access to the shared file based on the true IP, and the client is allowed to access the shared file when it is determined that the client has access. That is to say, the real IP corresponding field is added in the NFS message, so that the client can penetrate the NAT through the real IP, and the client can also access the NFS shared file when the NAT exists in the network of the client and the server.
It should be noted that, based on the above embodiments, the embodiments of the present application also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
Preferably, the NFS message itself is improved so that the NFS message can carry the field corresponding to the real IP of the client after the NAT processing. In order to effectively protect the real IP and prevent an illegal user from hijacking the NFS message, thereby impersonating a legal client to carry out illegal access, the real IP in the NFS message can be further protected. Specifically, the real IP may be encrypted and then placed in the NFS message. Correspondingly, the step S102 of analyzing the NFS packet and determining the real IP of the client and the shared file requested to be accessed specifically includes:
step one, analyzing an NFS message, and determining a real IP ciphertext of a client and a shared file requested to be accessed;
and step two, decrypting the real IP ciphertext to obtain the real IP.
For convenience of description, the above two steps will be described in combination.
The client and the server can define a common secret key, when the client generates the NFS message, the client can encrypt the real IP based on the secret key, and then the encrypted real IP ciphertext is added to the position of a field corresponding to the real IP in the NFS message. In this embodiment, the IPs before and after encryption may correspond to different byte lengths, and specific keys may be selected and applied according to actual situations, which are not listed here.
After receiving the NFS message, the server analyzes the NFS message to obtain a real IP ciphertext, and then decrypts the real IP ciphertext to obtain the real IP. Therefore, even if the NFN message is maliciously hijacked in the transmission process, the real IP of the client is protected from being leaked due to the secret key, and the corresponding shared file is further protected from being accessed by a malicious user.
Preferably, the server may add a public key for a single share or a global share in order to better limit visiting clients. When the client carries a real IP address for mounting, the server can initiate a key challenge to the client. The specific implementation process, that is, after the NFS packet is analyzed in step S102 and the real IP of the client and the shared file requested to be accessed are determined, before the client is determined whether to have access to the shared file by using the real IP in step S103, the following steps may be further performed:
step one, sending random plaintext data to a client;
receiving ciphertext data fed back by the client and obtained by encrypting the random plaintext data by using the shared key;
thirdly, verifying the validity of the ciphertext data by using the shared key;
after the verification is passed, step S103 is executed to determine whether the client has the right to access the shared file by using the real IP.
For convenience of description, the above steps will be described in combination.
The server side can send a random section of unencrypted data, namely random plaintext data to the client side, the client side uses the shared secret key to encrypt and returns the data to the server side, and the server side verifies the validity of the encrypted data through the stored shared secret key. Specifically, when the encrypted data is valid, it is determined that the key challenge is successful, that is, the verification is passed; otherwise, determining that the verification fails. After the verification is passed, the operation of step S103 may be performed. In the case where the verification fails, the operation of step S103 may not need to be performed.
Of course, in practical applications, the key challenge may be performed first, and then step S101 is performed.
Further, in order to simplify the authentication operation of the server on the client for accessing the shared file, after the key challenge is successful, an authentication success flag can be fed back to the client, so that the subsequent server can simply perform client authentication by comparing the real IP with the converted IP. That is, after the verification passes, the following operation steps may also be performed:
generating a random character string, and encrypting the random character string by using a shared secret key;
and sending the encrypted random character string to the client so that the client can use the random character string as a mark for successful authentication after decrypting the random character string.
That is to say, after the key challenge is successful, the server generates a random string as a mark of successful authentication, and sends the random string to the client after encrypting the random string by the shared key. The subsequent server can simply perform client authentication by comparing the real IP with the converted IP. The method for judging whether the client has the right to access the shared file by using the real IP specifically comprises the following steps: if the client has the mark of successful authentication, judging whether the real IP corresponds to the registered converted IP; if so, determining that the client has the right to access the shared file; if not, determining that the client has the right to access the shared file.
Furthermore, the mark of successful authentication can be updated, and the security of the shared file is further guaranteed. After the authentication updating period is reached, generating a new random character string, and encrypting the new random character string by using the shared secret key; and sending the encrypted new random character string to the client so that the client updates the mark of successful authentication by using the new random character string after decrypting to obtain the new random character string. For example, when the authentication update period (for example, one week or other preset duration) is reached, the client needs to encrypt the random character string sent by the server and send the encrypted random character string to the server, the server receives the encrypted random character string and then performs decryption and verification, and after verification is successful, a new random character string is regenerated and encrypted and sent to the client. Namely, the validity of the client is ensured by the operation of the authentication update.
Corresponding to the above method embodiments, the present application further provides a shared file access control device, and the shared file access control device described below and the shared file access control method described above may be referred to in correspondence.
Referring to fig. 2, the apparatus includes the following modules:
a message receiving module 101, configured to receive an NFS message sent by a client through a network address translation network;
the message analysis module 102 is configured to analyze the NFS message, and determine a real IP of the client and a shared file requested to be accessed; wherein, a field corresponding to the real IP is added in the NFS message;
the authentication module 103 is used for judging whether the client has the right to access the shared file by using the real IP;
an access control module 104, configured to allow the client to access the shared file if the client has the right to access the shared file; and if the client does not have the right to access the shared file, the client is prohibited from accessing the shared file.
By applying the device provided by the embodiment of the application, the NFS message sent by the client by utilizing the network address translation network is received; analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; wherein, a field corresponding to the real IP is added in the NFS message; judging whether the client has the right to access the shared file or not by using the real IP; if yes, allowing the client to access the shared file; and if not, prohibiting the client from accessing the shared file.
In the application, firstly, the NFS message is improved to add a field corresponding to a real IP. Therefore, after receiving the NFS message sent by the client through the network address translation network, the real IP of the client and the shared file requested to be accessed can be obtained by analyzing the NFS message. It is determined whether the client has access to the shared file based on the true IP, and the client is allowed to access the shared file when it is determined that the client has access. That is to say, the real IP corresponding field is added in the NFS message, so that the client can penetrate the NAT through the real IP, and the client can also access the NFS shared file when the NAT exists in the network of the client and the server.
In a specific embodiment of the present application, the message parsing module 102 is specifically configured to parse an NFS message, and determine a real IP ciphertext of a client and a shared file requested to be accessed; and decrypting the real IP ciphertext to obtain the real IP.
In a specific embodiment of the present application, the authentication module 103 is specifically configured to determine whether a real IP belongs to a client network segment corresponding to a shared file; if so, determining that the client has the right to access the shared file; if not, determining that the client does not have access to the shared file.
In one embodiment of the present application, the method further includes:
the key challenge module is used for sending random plaintext data to the client before judging whether the client has the right to access the shared file by utilizing the real IP after analyzing the NFS message and determining the real IP of the client and the shared file requested to access; receiving ciphertext data fed back by the client and obtained by encrypting the random plaintext data by using the shared secret key; verifying the validity of the ciphertext data by using the shared key; and after the verification is passed, executing a step of judging whether the client has the right to access the shared file by using the real IP.
In one embodiment of the present application, the method further includes:
the authentication marking module is used for generating a section of random character string after the verification is passed and encrypting the random character string by using the shared secret key; and sending the encrypted random character string to the client so that the client can use the random character string as a mark for successful authentication after decrypting the random character string.
In a specific embodiment of the present application, the authentication module 103 is specifically configured to determine whether the real IP corresponds to the registered converted IP if the client has a mark indicating that the authentication is successful; if so, it is determined that the client has access to the shared file.
In one embodiment of the present application, the method further includes:
the authentication updating module is used for generating a section of new random character string after reaching an authentication updating period and encrypting the new random character string by using the shared secret key; and sending the encrypted new random character string to the client so that the client updates the mark of successful authentication by using the new random character string after decrypting to obtain the new random character string.
Corresponding to the above method embodiment, an embodiment of the present application further provides an electronic device, and a reference may be made to an electronic device described below and a shared file access control method described above in correspondence with each other.
Referring to fig. 3, the electronic device includes:
a memory 332 for storing a computer program;
a processor 322 for implementing the steps of the shared file access control method of the above-described method embodiments when executing the computer program.
Specifically, referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341.
The steps in the shared file access control method described above may be implemented by the structure of the electronic device.
Corresponding to the above method embodiment, the present application embodiment further provides a readable storage medium, and a readable storage medium described below and a shared file access control method described above may be referred to in correspondence.
A readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the shared file access control method of the above-mentioned method embodiment.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Claims (10)
1. A shared file access control method, comprising:
receiving an NFS message sent by a client through a network address translation network;
analyzing the NFS message, and determining the real IP of the client and the shared file requested to be accessed; adding a field corresponding to the real IP in the NFS message;
judging whether the client has the right to access the shared file or not by using the real IP;
if so, allowing the client to access the shared file;
and if not, forbidding the client to access the shared file.
2. The method according to claim 1, wherein parsing the NFS packet and determining the real IP of the client and the shared file requested to be accessed comprises:
analyzing the NFS message, and determining a real IP ciphertext of the client and the shared file requested to be accessed;
and decrypting the real IP ciphertext to obtain the real IP.
3. The method of claim 1, wherein determining whether the client has access to the shared file using the real IP comprises:
judging whether the real IP belongs to a client network segment corresponding to the shared file;
if so, determining that the client has the right to access the shared file;
if not, determining that the client does not have access to the shared file.
4. The method according to any one of claims 1 to 3, wherein after parsing the NFS packet and determining a real IP of the client and a shared file requested to be accessed, before determining whether the client has access to the shared file by using the real IP, the method further comprises:
sending random plaintext data to the client;
receiving ciphertext data fed back by the client and obtained by encrypting the random plaintext data by using a shared key;
verifying the validity of the ciphertext data by using the shared key;
and after the verification is passed, executing the step of judging whether the client has the right to access the shared file by utilizing the real IP.
5. The shared file access control method according to claim 4, further comprising, after the authentication is passed:
generating a random character string, and encrypting the random character string by using the shared secret key;
and sending the encrypted random character string to the client so that the client can use the random character string as a mark for successful authentication after decrypting the random character string.
6. The method of claim 5, wherein determining whether the client has access to the shared file using the real IP comprises:
if the client has the mark of successful authentication, judging whether the real IP corresponds to the registered converted IP;
if so, determining that the client has the right to access the shared file.
7. The shared file access control method of claim 5, further comprising:
after reaching the authentication updating period, generating a new random character string, and encrypting the new random character string by using the shared secret key;
and sending the encrypted new random character string to the client, so that the client updates the mark of successful authentication by using the new random character string after decrypting the new random character string.
8. A shared file access control apparatus, comprising:
the message receiving module is used for receiving an NFS message sent by a client through a network address translation network;
the message analysis module is used for analyzing the NFS message and determining the real IP of the client and the shared file which is requested to be accessed; adding a field corresponding to the real IP in the NFS message;
the authentication module is used for judging whether the client has the right to access the shared file by utilizing the real IP;
the access control module is used for allowing the client to access the shared file if the client has the right to access the shared file; and if the client does not have the right to access the shared file, forbidding the client to access the shared file.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the shared file access control method of any one of claims 1 to 7 when executing said computer program.
10. A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the shared file access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110806676.XA CN113709100B (en) | 2021-07-16 | 2021-07-16 | Shared file access control method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110806676.XA CN113709100B (en) | 2021-07-16 | 2021-07-16 | Shared file access control method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113709100A true CN113709100A (en) | 2021-11-26 |
| CN113709100B CN113709100B (en) | 2022-12-27 |
Family
ID=78648748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110806676.XA Active CN113709100B (en) | 2021-07-16 | 2021-07-16 | Shared file access control method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113709100B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0794479A1 (en) * | 1996-03-04 | 1997-09-10 | Sun Microsystems, Inc. | Method and apparatus for providing dynamic network file system client authentication |
| US8874907B1 (en) * | 2007-09-28 | 2014-10-28 | Symantec Operating Corporation | Controlling access to an NFS share |
| CN104519109A (en) * | 2013-09-30 | 2015-04-15 | 张永杰 | Method and device for sharing file among multiple devices |
| CN110213334A (en) * | 2019-04-30 | 2019-09-06 | 视联动力信息技术股份有限公司 | A kind of transmission method and device of shared file |
| CN111225020A (en) * | 2019-11-07 | 2020-06-02 | 苏州浪潮智能科技有限公司 | User mode network file system dual-stack access method, device and equipment |
| CN112637367A (en) * | 2021-03-09 | 2021-04-09 | 武汉绿色网络信息服务有限责任公司 | File sharing method, device, equipment and storage medium based on home network |
-
2021
- 2021-07-16 CN CN202110806676.XA patent/CN113709100B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0794479A1 (en) * | 1996-03-04 | 1997-09-10 | Sun Microsystems, Inc. | Method and apparatus for providing dynamic network file system client authentication |
| US8874907B1 (en) * | 2007-09-28 | 2014-10-28 | Symantec Operating Corporation | Controlling access to an NFS share |
| CN104519109A (en) * | 2013-09-30 | 2015-04-15 | 张永杰 | Method and device for sharing file among multiple devices |
| CN110213334A (en) * | 2019-04-30 | 2019-09-06 | 视联动力信息技术股份有限公司 | A kind of transmission method and device of shared file |
| CN111225020A (en) * | 2019-11-07 | 2020-06-02 | 苏州浪潮智能科技有限公司 | User mode network file system dual-stack access method, device and equipment |
| CN112637367A (en) * | 2021-03-09 | 2021-04-09 | 武汉绿色网络信息服务有限责任公司 | File sharing method, device, equipment and storage medium based on home network |
Non-Patent Citations (1)
| Title |
|---|
| 程延锋等: "基于NFS文件共享资源的安全管理研究", 《网络安全技术与应用》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113709100B (en) | 2022-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8086858B2 (en) | Secure method of termination of service notification | |
| US7702901B2 (en) | Secure communications between internet and remote client | |
| CN111901355B (en) | Authentication method and device | |
| CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
| US11470060B2 (en) | Private exchange of encrypted data over a computer network | |
| US6990582B2 (en) | Authentication method in an agent system | |
| US10021562B2 (en) | Mobile trusted module (MTM)-based short message service security system and method thereof | |
| CN111538977B (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| CN111970109B (en) | Data transmission method and system | |
| CN112968910B (en) | Replay attack prevention method and device | |
| CN114637987A (en) | Security chip firmware downloading method and system based on platform verification | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN109218334B (en) | Data processing method, device, access control equipment, authentication server and system | |
| CN112118242A (en) | Zero trust authentication system | |
| CN112653671A (en) | Network communication method, device, equipment and medium for client and server | |
| CN113992702B (en) | Ceph distributed file system storage state password reinforcement method and system | |
| CN112560003A (en) | User authority management method and device | |
| CN114125027A (en) | Communication establishing method and device, electronic equipment and storage medium | |
| US7333612B2 (en) | Methods and apparatus for confidentiality protection for Fibre Channel Common Transport | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN113922974A (en) | Information processing method and system, front end, server and storage medium | |
| CN113709100B (en) | Shared file access control method, device, equipment and readable storage medium | |
| CN105100030B (en) | Access control method, system and device | |
| CN113595982B (en) | Data transmission method and device, electronic equipment and storage medium | |
| JP7107241B2 (en) | Key sharing method, key sharing system, agent terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |