From: steve <steve@steve-ss.com>
To: linux-nfs@vger.kernel.org
Subject: NFS4 des and weak crypto
Date: Thu, 16 Feb 2012 10:48:07 +0100 [thread overview]
Message-ID: <4F3CD0D7.8040402@steve-ss.com> (raw)
Hi
openSUSE 12.1
I'm trying to explain to our windows admin that modern nfs isn't
restricted to DES.
Here is a Samba4 authenticated test setup.
I've removed he DES keys from the keytab on the nfs server:
klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- ---------
1 nfs/hh3.hh3.site@HH3.SITE (arcfour-hmac)
1 HH3$@hh3.site (arcfour-hmac)
In /etc/krb5.conf, I comment out:
[libdefaults]
#allow_weak_crypto = true
It was never actually there. I've added it help my argument;)
hh3 is the server, hh6 is the client.
On hh6, root issues:
mount -t nfs4 hh3:/foo /bar -o sec=krb5
rpc.gssd -fvvv throws a fit, the KDC responds with,
Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using
arcfour-hmac-md5
Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime:
2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
Kerberos: TGS-REQ HH6$@HH3.SITE from ipv4:192.168.1.10:45421 for
nfs/hh3.hh3.site@HH3.SITE [canonicalize, renewable]
Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime:
2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
we can logon and request files via the mount.
Questions
Does this procedure prove that nfs can use other than DES crypto?
Is arcfour what an AD admin would consider strong encryption?
Thanks,
Steve
next reply other threads:[~2012-02-16 9:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 9:48 steve [this message]
2012-02-16 14:24 ` NFS4 des and weak crypto Andy Adamson
2012-02-16 16:49 ` Kevin Coffman
[not found] ` <CAGue13obwkrr4eWAdF0nyQZBhZrh4eSKeAgABV-cGd9cu-0zYA@mail.gmail.com>
2012-03-01 7:45 ` steve
2012-03-01 12:06 ` Tigran Mkrtchyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F3CD0D7.8040402@steve-ss.com \
--to=steve@steve-ss.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).