stronger ciphers support for NFS on RHEL5 (Secure NFS under Red Hat Enterprise Linux 4)

stronger ciphers support for NFS on RHEL5 (Secure NFS under Red Hat Enterprise Linux 4)

Post by Mikhail T » Fri, 30 Oct 2009 06:33:49


Hello!

The message at

http://www.yqcomputer.com/

warns about using anything but des-cbc-crc for NFS-access on Linux, but
ends with:

RHEL 5 has MIT 1.6, so the problem shouldn't exist there.


I'm currently struggling to make the KRB5-secured NFS-mounts work
between RHEL-5.4 client and a Solaris-8 server. The mounts succeed:

apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x)

but any attempt to access the mounted share (/mnt) is denied. All such
attempts also result in the following messages logged by rpc.gssd on the
client:

WARNING: Failed to create krb5 context for user with uid 18039 for
server apdevl.dev.pathfinder.com

Am I right thinking, the problem is due to des-cbc-crc being disabled
realm-wide here? (The DES cipher is deemed too insecure by the network
admins.) Should I still have this problem -- despite running RHEL-5.4?
Any chance, support for stronger ciphers was added to Linux NFS-clients
since RHEL-5.4 was released?

Thanks a lot! Yours,

-mi
 
 
 

stronger ciphers support for NFS on RHEL5 (Secure NFS under Red Hat Enterprise Linux 4)

Post by Kevin Coff » Fri, 30 Oct 2009 07:22:34


> ttp://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html >> >> warns about using anything but des-cbc-crc for NFS-access on Linux, but >> ends with: >> >> HEL 5 has MIT 1.6, so the problem shouldn't exist there.> >> >> > I'm currently struggling to make the KRB5-secured NFS-mounts work> > between RHEL-5.4 client and a Solaris-8 server. The mounts succeed:> >> > pdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x>
> but any attempt to access the mounted share (/mnt) is denied. All suc>
> attempts also result in the following messages logged by rpc.gssd on th>
> client>
> ARNING: Failed to create krb5 context for user with uid 18039 f>r
> erver apdevl.dev.pathfinder.>om> >
> Am I right thinking, the problem is due to des-cbc-crc being disab>ed
> realm-wide here? (The DES cipher is deemed too insecure by the netw>rk
> admins.) Should I still have this problem -- despite running RHEL-5>4?
> Any chance, support for stronger ciphers was added to Linux NFS-clie>ts
> since RHEL-5.4 was releas>d?> >
> Thanks a lot! You>s,> >
> mi

Yes, if des-cbc-crc is disabled realm-wide then I think you will have
problems with Linux NFS. This is not a Kerberos problem.

The "problem" I was referring to with the note, "RHEL 5 has MIT 1.6,
so the problem shouldn't exist there.", was the necessity of limiting
all applications on the client to des-cbc-crc by specifying
"default_tgs_enctypes = des-cbc-crc" in /etc/krb5.conf. There is no
need to do this for RHEL 5 machines since linux's rpc.gssd and
Kerberos have the code to limit the negotiation to only des-cbc-crc
for NFS.

Unfortunately, the code to support stronger ciphers has not made it
into the Linux kernel yet, and I don't have any idea when it will
finally make it in.

Let me know if you have other questions...

K.C.