Secure NFS under Red Hat Enterprise Linux 4
Paul B. Henson
henson at acm.org
Fri Mar 21 22:45:01 EDT 2008
I am trying to get secure NFS with Kerberos authentication working under
RHEL 4. Evidently the Linux secure RPC implementation only supports DES
encryption, not 3DES. On more recent Linux implementations, rpc.gssd
requests the appropriate encryption type for the session key, and things
just work. However, Red Hat 4 ships with older pieces, and rpc.gssd
retrieves a 3DES key, and the attempted mount simply wedges.
The only way I've found to resolve this is to add the following to the
krb5.conf file:
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
However, this results in the crippling of all Kerberos encryption to DES,
even for those applications capable of 3DES, which seems undesirable.
In addition, this configuration breaks logging in via secure shell with
ticket forwarding if your TGT is 3DES. The authentication and ticket
forwarding succeeds, but then any attempt to gain further Kerberos tickets
with the forwarded TGT fails with an error such as "no credentials found
with supported encryption types".
So I have two questions:
Is there any way to get rpc.gssd to request DES session keys without
crippling the entire system's encryption level?
If not, is there any way to get the system to support a 3DES TGT forwarded
from another system with encryption types limited as listed above in
krb5.conf?
Thanks much...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the Kerberos
mailing list