Hi Chuck, Many thanks for your confirmation. It helped me a lot. BR, Jaganmohan K On Thu, 29 Sept 2022 at 21:48, Chuck Lever III <chuck.lever@xxxxxxxxxx> wrote: > > > > > On Sep 28, 2022, at 8:04 AM, jaganmohan kanakala <jaganmohan.kanakala@xxxxxxxxx> wrote: > > > > Hi Linux-NFS team, > > > > I'm trying to set up the Kerberos5 setup with MIT as the KDC on my > > RHEL 8 machines. > > I'm able to get the setup working with Kerberos encryption types where > > the hash type is SHA1 (aes128-cts-hmac-sha1-96 and > > aes256-cts-hmac-sha1-96). > > > > As SHA1 is kind of obsolete, my goal is to get my setup working for > > SHA256 hash types (aes128-cts-hmac-sha256-128, > > aes256-cts-hmac-sha384-192). > > > > I tried that. The communication between the Linux client and MIT KDC > > is aes128-cts-hmac-sha256-128, but the communication between the Linux > > client and Linux NFS server is only aes256-cts-hmac-sha1-96. > > > > When I checked the Linux upstream code I see that there is no support > > for SHA256 (and above) hash types. > > > > https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5c4c173d3639d4772966/net/sunrpc/auth_gss/gss_krb5_mech.c > > > > Have I looked at the right source code? > > Does the latest Linux NFS server has support for kerberos encryption > > types aes128-cts-hmac-sha256-128, aes256-cts-hmac-sha384-192 ? > > > > Can anyone confirm? > > As far as I know, the Linux in-kernel SunRPC RPCSEC GSS implementation > does not support the new encryption types defined in RFC 8009. That > means neither the in-kernel client or server support these types at > this time. > > I'm not aware of plans to implement support for these. Cc'ing the > crypto mailing list to see if others are considering it. > > > -- > Chuck Lever > > >
