Bug 409101 - fully kerberize nfsv4
fully kerberize nfsv4
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nfs-utils (Show other bugs)
All Linux
high Severity low
: ---
: ---
Assigned To: Steve Dickson
Depends On:
  Show dependency treegraph
Reported: 2007-12-03 13:57 EST by Kevin Krafthefer
Modified: 2008-12-09 16:09 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-09 15:40:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kevin Krafthefer 2007-12-03 13:57:58 EST
Description of problem:
IPA requires nfsv4 to be kerberized. For details, see Karl Wirth.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Steve Dickson 2007-12-17 07:22:39 EST
We currently support Kerberos V5 authentication, checksumming and encryption
for NFSv4. What else is expected?
Comment 2 Karl Wirth 2007-12-17 12:04:56 EST
Does it work with any key or only with DES keys? We need to work with any key.
Comment 3 Steve Dickson 2007-12-17 15:11:36 EST
No we only support DES. But why do we need to work with any key? 
(Note: not try to be pain just curious as to what other type of keys 
would give us that DES don't).

Comment 4 Nalin Dahyabhai 2007-12-17 18:37:48 EST
Single-key DES is limited to a 56-bit key, which is relatively easy to
brute-force when compared to other ciphers which Kerberos can use.  (I'm mainly
thinking of AES here, but there are others.)

There's also the deployment problem that having to ensure that only DES keys get
set for NFS services, and going back to double-check if that's forgotten during
initial setup, is a pain.
Comment 5 Tony Fu 2008-10-05 21:47:53 EDT
User krafthef@redhat.com's account has been closed

Note You need to log in before you can comment on or make changes to this bug.