kerberos - What cipher is used on encrypted NFS? -
for securing nfs (network file system), mount option krb5p
can used encrypt traffic between file server , nfs client. authentication , key exchange based on kerberos. here example on how configure debian: https://wiki.debian.org/nfs/kerberos
unfortunately, there seems no way configure cipher used transport enryption. cipher used , how can configured, selected, or enforced?
without having used nfsv4 kerberos used in many other places, referring confidentiality provided gss-api through kerberos implemented gss_wrap(3)/gss_unwrap(3)
. provides quality of protection parameter quite nfsv4 leave null => @ discretion of mechanism.
anyway, given gss-api abstracts mechanism, have no choice still can it. enable in kdc @ least rc4, @ best aes128 , aes256. implementations use best available cipher. can scan traffic between client , tgs (tgs-req
, tgs-rep
), client , server (nfs
) see encryption type has been negotiated , highly used wrapping/unwrapping. can read rfcs did take lot of time understand.
hope helps. of course, wrong nfsv4 internals.
just made digging , quite analysis correct. rfc 7530, chapter 3.2.1 talks kerberos 5 mandatory privacy krb5p
aes along hmac-sha1. further reading leads rfc 2203 (rpcsec_gss spec) talks gss_wrap/gss_unwrap
.
Comments
Post a Comment