Bug 2178741
| Summary: | Feature requests: SUNRPC add support for modern ciphers described by RFC8009 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Olga Kornieskaia <kolga> |
| Component: | kernel | Assignee: | Scott Mayhew <smayhew> |
| kernel sub component: | NFS | QA Contact: | Yongcheng Yang <yoyang> |
| Status: | VERIFIED --- | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | CC: | jiyin, smayhew, xzhou, yieli, yoyang |
| Version: | 9.3 | Keywords: | FutureFeature, Triaged |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-5.14.0-306.el9 | Doc Type: | Enhancement |
| Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Olga Kornieskaia
2023-03-15 17:42:18 UTC
Have verified NFS with Kerberos now can work on camellia128-cts-cmac/camellia256-cts-cmac E.g. https://beaker.engineering.redhat.com/jobs/7810883 https://beaker.engineering.redhat.com/jobs/7810999 -------------------- [21:34:46 root@ ~~]# cat /proc/fs/nfsd/supported_krb5_enctypes 20,19,26,25,18,17 {Info} 20 - the NFS server supports encryption aes256-cts-hmac-sha384-192 {Info} 19 - the NFS server supports encryption aes128-cts-hmac-sha256-128 {Info} 26 - the NFS server supports encryption camellia256-cts-cmac {Info} 25 - the NFS server supports encryption camellia128-cts-cmac {Info} 18 - the NFS server supports encryption aes256-cts-hmac-sha1-96 {Info} 17 - the NFS server supports encryption aes128-cts-hmac-sha1-96 [21:34:47 root@ ~~]# klist -e -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/kvm-04-guest17.lab.eng.rdu2.redhat.com (camellia256-cts-cmac) 2 nfs/kvm-04-guest17.lab.eng.rdu2.redhat.com (camellia256-cts-cmac) 2 cifs/kvm-04-guest17.lab.eng.rdu2.redhat.com (camellia256-cts-cmac) [21:34:47 root@ ~~]# mount -t nfs -o sec=krb5 kvm-04-guest17.lab.eng.rdu2.redhat.com:/exportDir-krb5-crypto /mnt/nfsmp-krb5-crypto [21:34:47 root@ ~~]# nfsstat -m /mnt/nfsmp-krb5-crypto from kvm-04-guest17.lab.eng.rdu2.redhat.com:/exportDir-krb5-crypto Flags: rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=krb5,clientaddr=2620:52:0:800:216:3eff:fe34:33c9,local_lock=none,addr=2620:52:0:800:216:3eff:fe34:33c9 [21:34:48 root@ ~~]# umount /mnt/nfsmp-krb5-crypto But camellia128/camellia256 with fips enabled get failed. Maybe that's as expected but I need to get some docs later. https://beaker.engineering.redhat.com/jobs/7810741 https://beaker.engineering.redhat.com/jobs/7810665 ----------- add_principal: Cryptosystem internal error while creating "root/admin". P.s. aes256-cts-hmac-sha1-96/aes128-cts-hmac-sha1-96 can work with fips enabled: https://beaker.engineering.redhat.com/jobs/7810633 https://beaker.engineering.redhat.com/jobs/7810701 (In reply to Yongcheng Yang from comment #15) ... > But camellia128/camellia256 with fips enabled get failed. Maybe that's as > expected but I need to get some docs later. This should be as expected as https://pagure.io/freeipa/issue/8111 says, i.e., the camellia is not added into KRB5 encsalttypes in FIPS mode. I'm verifying this bug for now. |