NFSv4 Kerberos mount from Linux
Rick Macklem
rmacklem at uoguelph.ca
Sat Oct 13 00:44:37 UTC 2018
Benjamin Kaduk wrote:
>I wrote:
>>
>> The one area you don't discuss (and maybe isn't really a problem?) is what
>> ticket encryption type(s) you use.
>> Kerberized NFS still uses DES (someday this may change, but I think that requires
>> implementation of RPCSEC_GSS V3), so it needs an 8byte session key.
>
>This isn't true anymore; you can use stronger session keys just fine.
>(See also RFC 6649 -- don't use single-DES!)
I haven't read RFC6649, but from looking at the kgssapi code in FreeBSD's
head/current, it appears that newer encryption types are used for wrap/unwrap
(krb5p).
>From what I can see, the following appear to be supported:
DES, DES3, AES128, AES256, Arcfour, Arcfour_56
(I'll have to look at RFC6649 someday, because I've never seen an RFC specifying
anything but DES for RPCSEC_GSS.)
I won't even try to guess whether all of the above work for all implementations,
but it appears that it uses whatever the session key is (krb5_key_state?).
Peter, do you happen to know what encryption type(s) you have been using?
>> (I have never seen a documented way to convert a session key of greater than
>> 8bytes into an 8byte session key for RPCSEC_GSS to use. As such, I have no idea
>> what happens if you choose a ticket encryption type that results in a greater
>> than 8byte key.)
Ignore this. I just wasn't correct.
rick
[good stuff snipped]
More information about the freebsd-fs
mailing list