From owner-freebsd-fs@freebsd.org Sat Oct 13 00:44:37 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90C8210D0C3A for ; Sat, 13 Oct 2018 00:44:37 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670087.outbound.protection.outlook.com [40.107.67.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8323E7E13F for ; Sat, 13 Oct 2018 00:44:34 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM (52.132.44.160) by YTOPR0101MB1513.CANPRD01.PROD.OUTLOOK.COM (52.132.48.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.25; Sat, 13 Oct 2018 00:44:32 +0000 Received: from YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM ([fe80::65af:417a:161f:f4eb]) by YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM ([fe80::65af:417a:161f:f4eb%3]) with mapi id 15.20.1228.020; Sat, 13 Oct 2018 00:44:32 +0000 From: Rick Macklem To: Benjamin Kaduk CC: Peter Eriksson , Felix Winterhalter , "freebsd-fs@freebsd.org" Subject: Re: NFSv4 Kerberos mount from Linux Thread-Topic: NFSv4 Kerberos mount from Linux Thread-Index: AQHUW9DS+OLl3kMYEUaTZ7pIOOpJR6UPKibngAl2Y4CAAGctboAAu6iAgAEEoaWAADiTAIABYEo1 Date: Sat, 13 Oct 2018 00:44:32 +0000 Message-ID: References: <30f6446c-6fed-4b1e-9cae-9c417974ec46@audiofair.de> <33A0F0BC-4AD8-4DE3-B484-42B7FB208B6A@ifm.liu.se> , <20181012033145.GC3293@kduck.kaduk.org> In-Reply-To: <20181012033145.GC3293@kduck.kaduk.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=rmacklem@uoguelph.ca; x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; YTOPR0101MB1513; 6:lK8JXoYKqHPhP0tZy2kqozkDUvJ8yEYlw9FhFlVQCp5duv8IypQyTKKuW3P/NEDR7dqxf6nf61C5AJ3vGRBX3k4srg56boLTuHNJLJx8t1aKlNL1hxH8jWqIBpnHqHDznlY9uQYlLVj9Nz++3SXRuZKEb9wX7f/iPOTIGMS9J9d2rbD6C0oA/WFWF6v7zm8SHnWtUny/iQIZKYHYi/vanE/l6SMya4hhXgUzURn/fVMID7MIyDdTmr/2zLSFH8vdnERMY9DtbdBbsR4Mb0Uh4LehdVdbQnT+TMJbo4P4yrPA8mPfS507AJ0j5lVD415qcfF/hqrw05GAMRiyu3V1AN8l/sr2b7R1+PWS++3ewe3ZDRXUsJwSXrMfmCgcdGU6iaJ+nqVZvPbSTyFHJ4OL3T7+bxM6Gax9irl1S1m9LuZ5pzAOar7a0AVXMQUo7mEm5XmaNJwy3ZV6nqmGOL/0jQ==; 5:RRYyVPVB9RaqKGDWdxCWyNkaPQDIdnPuneFKvF3S/Io5toAt0z9QS8FuB6arF4QLlxbrI9rq71vmKfg/oNZXDA7lBWjI8FO89dNv9bciV04NvwPOBX3qwQ5UxCBxZKC1AnOgxjpHqVsKSu72un/e3O3SToXgD9hJU3Yy5jeCOo0=; 7:OX42tDSCNBXnLdKyrBxSs7+PswoY1uNnI+aifpGkejDDIZpG4vZg/66vtv4dhfMH7Ox08cd9PN8HGg8Vtl21DD5tgKrOzhtS26SdeyxqjsCzwGbrlrbpNUm16CROgt8QA24gqQ6/E26r2uIGyhb5AzIYkfSS6mBIvUXs3svHDR0IcIvp54WA3gCPkn/j4WAk5ie9QG7monwlEuJWyBiDhVM/bimY/ZPsn7vIRMqDWYLPmSQQHk0nwN/lFlbw5Y+6 x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 43826ce1-7129-4de9-6376-08d630a50aac x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:YTOPR0101MB1513; x-ms-traffictypediagnostic: YTOPR0101MB1513: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231355)(944501410)(52105095)(3002001)(149066)(150057)(6041310)(201703131423095)(201703031522075)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201708071742011)(7699051)(76991067); SRVR:YTOPR0101MB1513; BCL:0; PCL:0; RULEID:; SRVR:YTOPR0101MB1513; x-forefront-prvs: 082465FB26 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(376002)(346002)(39860400002)(136003)(199004)(189003)(51444003)(74316002)(786003)(446003)(71190400001)(71200400001)(68736007)(6246003)(93886005)(86362001)(33656002)(186003)(97736004)(46003)(486006)(81166006)(99286004)(102836004)(4326008)(316002)(8676002)(2900100001)(81156014)(296002)(54906003)(229853002)(25786009)(14454004)(74482002)(6436002)(305945005)(6506007)(105586002)(106356001)(11346002)(5250100002)(6916009)(2906002)(2171002)(53936002)(9686003)(8936002)(5660300001)(7696005)(76176011)(14444005)(55016002)(256004)(476003)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:YTOPR0101MB1513; H:YTOPR0101MB1820.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-microsoft-antispam-message-info: ajH0qcTCMUU0Y+EbidEvjhPX0RK2g04BP0O31ezOrzawCTrhhPdIuRhinuXdBUII7EyFdrCE626yYMN3xI+bBp8X0fXzPB8u2WHMh7O7sqNYIIrig1VjiKXROYqdaVUDGeuiFGeZ+xgsPczm8nVhSpDLbyzoApA/2MfKg/uhm2uapfH/kQdJ4OpgX6Kgx9558fTY9fXdd3gfR4si7TisPggBP2eVR82WjnTMMUughRdQVHZ/4hua1cO3KVZXuoYNHelMTHeToyBOUZCHEzf1Q7LORRGr+Vyp40zjyV+U8mvfrSh4V+gF/PZ4pOJmpV8GMzqNOBSAALazLrVZMuLI5zFGXI965FGxXDoCm3ZRXt0= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 43826ce1-7129-4de9-6376-08d630a50aac X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2018 00:44:32.4779 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB1513 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Oct 2018 00:44:37 -0000 Benjamin Kaduk wrote: >I wrote: >> >> The one area you don't discuss (and maybe isn't really a problem?) is wh= at >> ticket encryption type(s) you use. >> Kerberized NFS still uses DES (someday this may change, but I think that= requires >> implementation of RPCSEC_GSS V3), so it needs an 8byte session key. > >This isn't true anymore; you can use stronger session keys just fine. >(See also RFC 6649 -- don't use single-DES!) I haven't read RFC6649, but from looking at the kgssapi code in FreeBSD's head/current, it appears that newer encryption types are used for wrap/unwr= ap (krb5p). >From what I can see, the following appear to be supported: DES, DES3, AES128, AES256, Arcfour, Arcfour_56 (I'll have to look at RFC6649 someday, because I've never seen an RFC speci= fying anything but DES for RPCSEC_GSS.) I won't even try to guess whether all of the above work for all implementat= ions, but it appears that it uses whatever the session key is (krb5_key_state?). Peter, do you happen to know what encryption type(s) you have been using? >> (I have never seen a documented way to convert a session key of greater = than >> 8bytes into an 8byte session key for RPCSEC_GSS to use. As such, I have= no idea >> what happens if you choose a ticket encryption type that results in a g= reater >> than 8byte key.) Ignore this. I just wasn't correct. rick [good stuff snipped]