NFSv4 Kerberos mount from Linux

[Rick Macklem]

I wrote:
>Benjamin Kaduk wrote:
>>I wrote:
>>>
>>> The one area you don't discuss (and maybe isn't really a problem?) is what
>>> ticket encryption type(s) you use.
>>> Kerberized NFS still uses DES (someday this may change, but I think that requires
>>> implementation of RPCSEC_GSS V3), so it needs an 8byte session key.
In case my previous post wasn't clear, this appears to have already changed and
did not require implementation of RPCSEC_V2 or RPCSEC_GSS_v3.

>>
>>This isn't true anymore; you can use stronger session keys just fine.
>>(See also RFC 6649 -- don't use single-DES!)
>I haven't read RFC6649, but from looking at the kgssapi code in FreeBSD's
>head/current, it appears that newer encryption types are used for wrap/unwrap
>(krb5p).
>From what I can see, the following appear to be supported:
>DES, DES3, AES128, AES256, Arcfour, Arcfour_56
>(I'll have to look at RFC6649 someday, because I've never seen an RFC specifying
> anything but DES for RPCSEC_GSS.)
>I won't even try to guess whether all of the above work for all implementations,
>but it appears that it uses whatever the session key is (krb5_key_state?).
I just received a reply to a query on the nfsv4 at ietf.org mailing list and the set
of encryption types supported by Linux is the same as above except they do
no support Arcfour_56.
However, they are planning on deleting support for all encryption types
except for the AES ones.
As such, it sounds like you may need to configure Kerberos to only use those
to ensure interoperability in the future.

Hope this is useful and hasn't added to the confusion, rick