Secure NFS under Red Hat Enterprise Linux 4

[Paul B. Henson]

On Mon, 24 Mar 2008, Kevin Coffman wrote:

> choices are (1) to limit other NFS servers to using only des, (i.e.
> creating your Solaris NFS server's keytab with only a des key, even
> though they may be able to do better), or (2) limiting all the Kerberos
> applications on your RHEL 4 Linux clients to des by using
> "default_tgs_enctypes = des-cbc-crc".

I was about ready to live with option 2, but then ran into the problem
where logging in with a forwarded TGT from a non-crippled system is broken.
There doesn't happen to be any option that would tell the local Kerberos
library something like "Only use DES when getting tickets, but if you
happen to find a 3DES TGT already around, feel free to use it get DES
tickets"?

> RHEL 5 has MIT 1.6, so the problem shouldn't exist there.

Cool, I'm downloading the DVD now to try it out. I'm pretty sure Oracle
supports RHEL 5, our other evil binary blackbox is Blackboard, which when
we installed it only officially supported RHEL 3 8-/.

> BTW, I'm finishing up Linux kernel patches to support the other
> enctypes, but as you noted, you won't be seeing those in a RHEL kernel
> for a while.

Sweet, I look forward to seeing them. We only run RHEL when we have to,
most of our systems run Gentoo (which can occassionally drift over to the
opposite side of the "stale" scale and be a bit bleeding edge :) )...

Thanks much...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768