From owner-freebsd-fs@freebsd.org Tue Oct 16 15:25:51 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7DB310D6F54 for ; Tue, 16 Oct 2018 15:25:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670053.outbound.protection.outlook.com [40.107.67.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7293271745 for ; Tue, 16 Oct 2018 15:25:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from YQXPR0101MB1159.CANPRD01.PROD.OUTLOOK.COM (52.132.79.14) by YQXPR0101MB2007.CANPRD01.PROD.OUTLOOK.COM (52.132.77.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.26; Tue, 16 Oct 2018 15:25:48 +0000 Received: from YQXPR0101MB1159.CANPRD01.PROD.OUTLOOK.COM ([fe80::b00d:47a5:e219:888a]) by YQXPR0101MB1159.CANPRD01.PROD.OUTLOOK.COM ([fe80::b00d:47a5:e219:888a%4]) with mapi id 15.20.1228.027; Tue, 16 Oct 2018 15:25:48 +0000 From: Rick Macklem To: Benjamin Kaduk CC: "freebsd-fs@freebsd.org" , Felix Winterhalter Subject: Re: NFSv4 Kerberos mount from Linux Thread-Topic: NFSv4 Kerberos mount from Linux Thread-Index: AQHUW9DS+OLl3kMYEUaTZ7pIOOpJR6UPKibngAl2Y4CAAGctboAAu6iAgAEEoaWAADiTAIABYEo1gAWuQqQ= Date: Tue, 16 Oct 2018 15:25:48 +0000 Message-ID: References: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> <33A0F0BC-4AD8-4DE3-B484-42B7FB208B6A@ifm.liu.se> , <20181012033145.GC3293@kduck.kaduk.org>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca; x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; YQXPR0101MB2007; 6:fGLkPot1JmYJAXFq30WXsae9Yp5tEKEDVD4/7yheivpmcV1M6XvByplwJ482vbgdGeLWH/2Unn5JnmxS6iYwqrgMcg7R2GwrBnUEFi2OQmXRgIPjVE4SYTetXdKL/3AwmfAYnWN0XjaTtOrWYmca47bS+RvH0LZM/pKS8trofRnWLLSGJezPkozMdL+10qUMv7sYLLWhytPB1/j2mU3J6he4jBTlywCs6lKSmx3ptfRY5NtWp5vXM8cYc8jKAfVxbTPvDmIBAgQQjTYVBL0+kJonWw4cBHtsXITRdWDZdXxbgXKgNL5D49jbK5Hd2eEwqI2VcMBE4cApxTShZVt+hItvn386PZ7ZhW7B4+XWlpUhHnIdUi7RZMtb04dCoNmcS3/s0G9xCQsKUjnsQ6ToJmiJ67iG1L/ANhDePXpb9Kxtx/L2FOLMQM32l9EX0eTqVeJmPvl2qaZhN6Wm4mAd0A==; 5:uPN4AfpE0oHCOfPxa0YjGnlear6EQBjxZQtOnxITtYAo8Kvqzc3D82s2ue8jtrxiJ09048LFgFOftf08qDZnLYMtMlCtgtJhLrewMiCFaT03LO9N9DGgfULxSQ3I8AQJe4x+xnJJWHqlB8JN+sBei2nt47MUgmm80sYz4bsdNPA=; 7:lf88mzawJux9vDbOx+i/gPtW9NIUIIRQ6ErRj6HEgVIpiOi7Zk9SQYbz7WuQkGkqWIzlhkEhAPX0YPCEvfWyptd6iPIvS+5iGHxO2UChUUU2jS+mWgkxstEmmccBFwrnQgjfn1XER5+W/u2oeUprTgw4qWSvOpQnFF8ILpmEhWOOU5aQKa6CW/1ShNGM0rlTtMSyr//7J79AS15IgaK+M9q+qZ4vF/kT7NoPXSWqaYXT9pKnzEdaRRx8Tm6ec43M x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 8eeccab2-da15-4526-8989-08d6337ba68e x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:YQXPR0101MB2007; x-ms-traffictypediagnostic: YQXPR0101MB2007: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(149066)(150057)(6041310)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051); SRVR:YQXPR0101MB2007; BCL:0; PCL:0; RULEID:; SRVR:YQXPR0101MB2007; x-forefront-prvs: 0827D7ACB9 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(346002)(396003)(366004)(376002)(189003)(51444003)(199004)(316002)(786003)(9686003)(2906002)(81166006)(55016002)(54906003)(478600001)(81156014)(305945005)(8676002)(71190400001)(71200400001)(4326008)(6916009)(97736004)(6246003)(68736007)(2900100001)(2171002)(33656002)(476003)(5250100002)(53936002)(229853002)(93886005)(11346002)(446003)(186003)(86362001)(7696005)(6506007)(486006)(106356001)(76176011)(8936002)(105586002)(99286004)(102836004)(14444005)(46003)(5660300001)(256004)(74482002)(74316002)(25786009)(14454004)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:YQXPR0101MB2007; H:YQXPR0101MB1159.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-microsoft-antispam-message-info: MFb9aBszxjvwWjjfiF4KpZSaXAryF8hlTjDYmbvB8x5Hr9cv9XDXrO+4i3VrCpKlJTc9TfFJwVeeI3efe8UCllcLd3k3RYefBnzn94LxIt65XG23t9iJZNsvAC78JYILxnp/dUgIaUYksO3eydpyv5BzE8hGPYlTrUH0KRkOh3e1qGiN6qKnaIHZoSL18bIxuiU8zxHcQ7mJlsSv+tgdCXHPZlYZf2B3Uf5N5+zfood21sOQ6bf30Sn5vWzv5Xr7U0Vu2BuH4MiFqCKbbsVm9Kf3HIySdGZr8LqRw3tn0QCBXrfbBKto5J8hCdTF+lAyfmoeNidIaFGM7n2qlmYOMmigViTnj7x4NNjMcFCNGmE= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 8eeccab2-da15-4526-8989-08d6337ba68e X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Oct 2018 15:25:48.6866 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR0101MB2007 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Oct 2018 15:25:51 -0000 I wrote: >Benjamin Kaduk wrote: >>I wrote: >>> >>> The one area you don't discuss (and maybe isn't really a problem?) is w= hat >>> ticket encryption type(s) you use. >>> Kerberized NFS still uses DES (someday this may change, but I think tha= t requires >>> implementation of RPCSEC_GSS V3), so it needs an 8byte session key. In case my previous post wasn't clear, this appears to have already changed= and did not require implementation of RPCSEC_V2 or RPCSEC_GSS_v3. >> >>This isn't true anymore; you can use stronger session keys just fine. >>(See also RFC 6649 -- don't use single-DES!) >I haven't read RFC6649, but from looking at the kgssapi code in FreeBSD's >head/current, it appears that newer encryption types are used for wrap/unw= rap >(krb5p). >From what I can see, the following appear to be supported: >DES, DES3, AES128, AES256, Arcfour, Arcfour_56 >(I'll have to look at RFC6649 someday, because I've never seen an RFC spec= ifying > anything but DES for RPCSEC_GSS.) >I won't even try to guess whether all of the above work for all implementa= tions, >but it appears that it uses whatever the session key is (krb5_key_state?). I just received a reply to a query on the nfsv4@ietf.org mailing list and t= he set of encryption types supported by Linux is the same as above except they do no support Arcfour_56. However, they are planning on deleting support for all encryption types except for the AES ones. As such, it sounds like you may need to configure Kerberos to only use thos= e to ensure interoperability in the future. Hope this is useful and hasn't added to the confusion, rick