Date: Tue, 16 Oct 2018 15:25:48 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Benjamin Kaduk <kaduk@mit.edu> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>, Felix Winterhalter <felix@audiofair.de> Subject: Re: NFSv4 Kerberos mount from Linux Message-ID: <YQXPR0101MB11595775AC1E21B470F532A6DDFE0@YQXPR0101MB1159.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <YTOPR0101MB1820C98006C57A353F5FA573DDE30@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> References: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> <YTOPR0101MB1820A5756D172342AF441C25DDEA0@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> <c1ffda48-3809-bb4c-6d97-451765b0e25e@audiofair.de> <YTOPR0101MB18207F35A3973F26C6A58F6ADDE00@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM> <33A0F0BC-4AD8-4DE3-B484-42B7FB208B6A@ifm.liu.se> <YTOPR0101MB1820439E0BFBF57DB2572E92DDE20@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM>, <20181012033145.GC3293@kduck.kaduk.org>, <YTOPR0101MB1820C98006C57A353F5FA573DDE30@YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
I wrote: >Benjamin Kaduk wrote: >>I wrote: >>> >>> The one area you don't discuss (and maybe isn't really a problem?) is w= hat >>> ticket encryption type(s) you use. >>> Kerberized NFS still uses DES (someday this may change, but I think tha= t requires >>> implementation of RPCSEC_GSS V3), so it needs an 8byte session key. In case my previous post wasn't clear, this appears to have already changed= and did not require implementation of RPCSEC_V2 or RPCSEC_GSS_v3. >> >>This isn't true anymore; you can use stronger session keys just fine. >>(See also RFC 6649 -- don't use single-DES!) >I haven't read RFC6649, but from looking at the kgssapi code in FreeBSD's >head/current, it appears that newer encryption types are used for wrap/unw= rap >(krb5p). >From what I can see, the following appear to be supported: >DES, DES3, AES128, AES256, Arcfour, Arcfour_56 >(I'll have to look at RFC6649 someday, because I've never seen an RFC spec= ifying > anything but DES for RPCSEC_GSS.) >I won't even try to guess whether all of the above work for all implementa= tions, >but it appears that it uses whatever the session key is (krb5_key_state?). I just received a reply to a query on the nfsv4@ietf.org mailing list and t= he set of encryption types supported by Linux is the same as above except they do no support Arcfour_56. However, they are planning on deleting support for all encryption types except for the AES ones. As such, it sounds like you may need to configure Kerberos to only use thos= e to ensure interoperability in the future. Hope this is useful and hasn't added to the confusion, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB11595775AC1E21B470F532A6DDFE0>