LinuxLists.cc - Re: [External] : Re: LINUX NFS support for SHA256 hash types

2024-03-25 16:31:26

Subject: Re: [External] : Re: LINUX NFS support for SHA256 hash types

> On Mar 25, 2024, at 2:34 AM, jaganmohan kanakala <[email protected]> wrote:
>
> Hi Chuck,
>
> Following up with my earlier email, I've noted from the following commit that the support for SHA 256/384 has now been added to Linux NFS.
> https://github.com/torvalds/linux/commit/a40cf7530d3104793f9361e69e84ada7960724f2
>
> The commit message says that the implementation was in 'beta' at the time of the commit. Is the implementation still in the 'beta' stage?

"Beta" was used simply to mean that the code did not have
significant test or deployment experience. So far there
have been only a few bugs, all known to be fixed at the
moment.

> I have an NFS client where I'm trying to support SHA 256 for Krb5. How can I verify my implementation with the Linux NFS server?

You will need a Linux distribution whose user space
Kerberos libraries support AES_SHA2 enctypes, and of
course a recent kernel. Scott, anything else? Does the
KDC need to handle these enctypes too?

--
Chuck Lever

2024-03-28 19:42:30

by Scott Mayhew

[permalink] [raw]

Subject: Re: [External] : Re: LINUX NFS support for SHA256 hash types

On Mon, 25 Mar 2024, Chuck Lever III wrote:

>
>
> > On Mar 25, 2024, at 2:34 AM, jaganmohan kanakala <[email protected]> wrote:
> >
> > Hi Chuck,
> >
> > Following up with my earlier email, I've noted from the following commit that the support for SHA 256/384 has now been added to Linux NFS.
> > https://github.com/torvalds/linux/commit/a40cf7530d3104793f9361e69e84ada7960724f2
> >
> > The commit message says that the implementation was in 'beta' at the time of the commit. Is the implementation still in the 'beta' stage?
>
> "Beta" was used simply to mean that the code did not have
> significant test or deployment experience. So far there
> have been only a few bugs, all known to be fixed at the
> moment.
>
>
> > I have an NFS client where I'm trying to support SHA 256 for Krb5. How can I verify my implementation with the Linux NFS server?
>
> You will need a Linux distribution whose user space
> Kerberos libraries support AES_SHA2 enctypes, and of
> course a recent kernel. Scott, anything else? Does the
> KDC need to handle these enctypes too?

It depends on whether both the NFS client and the NFS server support the
enctype negotiation extension (RFC 4537). If they do, then the KDC
doesn't need to be able to handle those enctypes.

-Scott

>
> -- Chuck Lever
>
>