[31624] in Kerberos
Re: stronger ciphers support for NFS on RHEL5 (Secure NFS under Red
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Wed Oct 28 18:23:12 2009
MIME-Version: 1.0
In-Reply-To: <4AE8B8BD.8000306@aldan.algebra.com>
Date: Wed, 28 Oct 2009 18:22:34 -0400
Message-ID: <4d569c330910281522wcc0dfddt2d69a106c51a2496@mail.gmail.com>
From: Kevin Coffman <kwc@citi.umich.edu>
To: "Mikhail T." <mi+thun@aldan.algebra.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Oct 28, 2009 at 5:33 PM, Mikhail T. <mi+thun@aldan.algebra.com> wrote:
> Hello!
>
> The message at
>
> http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html
>
> warns about using anything but des-cbc-crc for NFS-access on Linux, but
> ends with:
>
> RHEL 5 has MIT 1.6, so the problem shouldn't exist there.
>
>
> I'm currently struggling to make the KRB5-secured NFS-mounts work
> between RHEL-5.4 client and a Solaris-8 server. The mounts succeed:
>
> apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x)
>
> but any attempt to access the mounted share (/mnt) is denied. All such
> attempts also result in the following messages logged by rpc.gssd on the
> client:
>
> WARNING: Failed to create krb5 context for user with uid 18039 for
> server apdevl.dev.pathfinder.com
>
> Am I right thinking, the problem is due to des-cbc-crc being disabled
> realm-wide here? (The DES cipher is deemed too insecure by the network
> admins.) Should I still have this problem -- despite running RHEL-5.4?
> Any chance, support for stronger ciphers was added to Linux NFS-clients
> since RHEL-5.4 was released?
>
> Thanks a lot! Yours,
>
> -mi
Yes, if des-cbc-crc is disabled realm-wide then I think you will have
problems with Linux NFS. This is not a Kerberos problem.
The "problem" I was referring to with the note, "RHEL 5 has MIT 1.6,
so the problem shouldn't exist there.", was the necessity of limiting
all applications on the client to des-cbc-crc by specifying
"default_tgs_enctypes = des-cbc-crc" in /etc/krb5.conf. There is no
need to do this for RHEL 5 machines since linux's rpc.gssd and
Kerberos have the code to limit the negotiation to only des-cbc-crc
for NFS.
Unfortunately, the code to support stronger ciphers has not made it
into the Linux kernel yet, and I don't have any idea when it will
finally make it in.
Let me know if you have other questions...
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
