AES support for RPCSEC_GSS?

AES support for RPCSEC_GSS?

[Quentin Godfroy]

Hi,

in all the faqs it is said that there is no working support for
anything else than DES which is a bit outdated and not secure
nowadays.

It seemed to me that there was some code in the nfs-utils which
would do some security negociation (somewhere around utils/gssd/krb5_util.c),
but the kernel had nothing to support that.

I suppose this will be the last thing to be done once the security features
are working with the three versions of NFS.

What are the missing features in this field, and would it be difficult to
add support for other encryption schemes?

Regards,
Quentin Godfroy

Re: AES support for RPCSEC_GSS?

[J. Bruce Fields]

On Tue, Feb 12, 2008 at 02:20:07AM +0100, Quentin Godfroy wrote:
> in all the faqs it is said that there is no working support for
> anything else than DES which is a bit outdated and not secure
> nowadays.
> 
> It seemed to me that there was some code in the nfs-utils which
> would do some security negociation (somewhere around utils/gssd/krb5_util.c),
> but the kernel had nothing to support that.
> 
> I suppose this will be the last thing to be done once the security features
> are working with the three versions of NFS.
> 
> What are the missing features in this field, and would it be difficult to
> add support for other encryption schemes?

Kevin Coffman is working on support for AES (and other algorithms).
It's mostly working at this point, so I think we'll be posting patches
soon.  Is there something in particular you need or want to work on?

--b.

Re: AES support for RPCSEC_GSS?

[Quentin Godfroy]

On Mon, Feb 11, 2008 at 11:37:15PM -0500, J. Bruce Fields wrote:
> > in all the faqs it is said that there is no working support for
> > anything else than DES which is a bit outdated and not secure
> > nowadays.
> > 
> > It seemed to me that there was some code in the nfs-utils which
> > would do some security negociation (somewhere around utils/gssd/krb5_util.c),
> > but the kernel had nothing to support that.
> > 
> > I suppose this will be the last thing to be done once the security features
> > are working with the three versions of NFS.
> > 
> > What are the missing features in this field, and would it be difficult to
> > add support for other encryption schemes?
> 
> Kevin Coffman is working on support for AES (and other algorithms).
> It's mostly working at this point, so I think we'll be posting patches
> soon.

I'll be glad to try it once it is available

>        Is there something in particular you need or want to work on?

No, not really. I find the current implementation sufficient for my needs.
Maybe the server not being IPv6 compatible is not pleasing to the mind.
Unfortunately my coding experience is low and probably the nfsd code is not
the easy way to start.

Re: AES support for RPCSEC_GSS?

[J. Bruce Fields]

On Wed, Feb 13, 2008 at 06:01:56PM +0100, Quentin Godfroy wrote:
> I'll be glad to try it once it is available
> 
> >        Is there something in particular you need or want to work on?
> 
> No, not really. I find the current implementation sufficient for my needs.
> Maybe the server not being IPv6 compatible is not pleasing to the mind.
> Unfortunately my coding experience is low and probably the nfsd code is not
> the easy way to start.

I *think* the ipv6 stuff is also on track to be done by 2.6.26 or
2.6.27, but I'm not the expert there....

--b.