Re: NFS4 des and weak crypto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Feb 16, 2012 at 9:24 AM, Andy Adamson <androsadamson@xxxxxxxxx> wrote:
> On Thu, Feb 16, 2012 at 4:48 AM, steve <steve@xxxxxxxxxxxx> wrote:
>> Hi
>> openSUSE 12.1
>>
>> I'm trying to explain to our windows admin that modern nfs isn't restricted
>> to DES.
>>
>> Here is a Samba4 authenticated test setup.
>>
>> I've removed he DES keys from the keytab on the nfs server:
>>
>> klist -ke /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- ---------
>>   1 nfs/hh3.hh3.site@xxxxxxxx (arcfour-hmac)
>>   1 HH3$@hh3.site (arcfour-hmac)
>>
>> In /etc/krb5.conf, I comment out:
>> [libdefaults]
>> #allow_weak_crypto = true
>> It was never actually there. I've added it help my argument;)
>> hh3 is the server, hh6 is the client.
>>
>> On hh6, root issues:
>> mount -t nfs4 hh3:/foo /bar -o sec=krb5
>> rpc.gssd -fvvv throws a fit, the KDC responds with,
>>
>> Kerberos: ENC-TS Pre-authentication succeeded -- HH6$@HH3.SITE using
>> arcfour-hmac-md5
>> Kerberos: AS-REQ authtime: 2012-02-06T19:44:47 starttime: unset endtime:
>> 2012-02-07T05:44:47 renew till: 2012-02-07T19:44:47
>> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
>> aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
>> des-cbc-md5, des-cbc-md4, using arcfour-hmac-md5/arcfour-hmac-md5
>> Kerberos: Requested flags: renewable-ok
>> Kerberos: TGS-REQ HH6$@HH3.SITE from ipv4:192.168.1.10:45421 for
>> nfs/hh3.hh3.site@xxxxxxxx [canonicalize, renewable]
>> Kerberos: TGS-REQ authtime: 2012-02-06T19:44:47 starttime:
>> 2012-02-06T19:44:47 endtime: 2012-02-07T05:44:47 renew till: 20
>>
>> we can logon and request files via the mount.
>>
>> Questions
>> Does this procedure prove that nfs can use other than DES crypto?
>> Is arcfour what an AD admin would consider strong encryption?

As Andy said, modern Linux NFS supports all those "Cllient supported enctypes".

Re: strong encryption for AD.  What version of Windows AD?  If it is
Windows 2003, then yes, I think arcfour would be considered strong.
If it is Windows 2008 or later, AES is supported and is stronger.
(Windows has never supported DES3).

K.C.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux