Re: LINUX NFS support for SHA256 hash types

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chuck,

Many thanks for your confirmation. It helped me a lot.

BR,
Jaganmohan K

On Thu, 29 Sept 2022 at 21:48, Chuck Lever III <chuck.lever@xxxxxxxxxx> wrote:
>
>
>
> > On Sep 28, 2022, at 8:04 AM, jaganmohan kanakala <jaganmohan.kanakala@xxxxxxxxx> wrote:
> >
> > Hi Linux-NFS team,
> >
> > I'm trying to set up the Kerberos5 setup with MIT as the KDC on my
> > RHEL 8 machines.
> > I'm able to get the setup working with Kerberos encryption types where
> > the hash type is SHA1 (aes128-cts-hmac-sha1-96 and
> > aes256-cts-hmac-sha1-96).
> >
> > As SHA1 is kind of obsolete, my goal is to get my setup working for
> > SHA256 hash types (aes128-cts-hmac-sha256-128,
> > aes256-cts-hmac-sha384-192).
> >
> > I tried that. The communication between the Linux client and MIT KDC
> > is aes128-cts-hmac-sha256-128, but the communication between the Linux
> > client and Linux NFS server is only aes256-cts-hmac-sha1-96.
> >
> > When I checked the Linux upstream code I see that there is no support
> > for SHA256 (and above) hash types.
> >
> > https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/net/sunrpc/auth_gss/gss_krb5_mech.c
> >
> > Have I looked at the right source code?
> > Does the latest Linux NFS server has support for kerberos encryption
> > types aes128-cts-hmac-sha256-128, aes256-cts-hmac-sha384-192 ?
> >
> > Can anyone confirm?
>
> As far as I know, the Linux in-kernel SunRPC RPCSEC GSS implementation
> does not support the new encryption types defined in RFC 8009. That
> means neither the in-kernel client or server support these types at
> this time.
>
> I'm not aware of plans to implement support for these. Cc'ing the
> crypto mailing list to see if others are considering it.
>
>
> --
> Chuck Lever
>
>
>



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux