Hi Jostein, On Tue, Mar 18, 2025 at 09:48:36AM +0100, Jostein Fossheim wrote: > > But that said the situation in Bookworm might not be optimal for > > kerberized NFS setups. > > > > Regards, > > Salvatore > > We tried to do a upgrade to Trixie just to see how the situation was looking > there, and at least for now the problem persist: > > root@basic-nas:~# uname -a Linux basic-nas.lab.skyfritt.net 6.12.17-amd64 #1 > SMP PREEMPT_DYNAMIC Debian 6.12.17-1 (2025-03-01) x86_64 GNU/Linux > root@basic-nas:~# cat /boot/config-6.12.17-amd64 | grep AES_SHA2 # > CONFIG_RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 is not set root@basic-nas:~# > > Log file from Trixie when we enforce the encryption schemas in question from > the clients: > > Mar 18 09:43:42 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: > GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE > (Unspecified GSS failure. Minor code may provide more information) - > Encryption type aes256-cts-hmac-sha384-192 not permitted > > Mar 18 09:44:53 basic-nas.lab.skyfritt.net rpc.svcgssd[1833]: ERROR: > GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE > (Unspecified GSS failure. Minor code may provide more information) - > Encryption type aes128-cts-hmac-sha256-128 not permitted > > I hope you will consider include RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 in future > main kernel releases, or if possible include it as a module.
Let me try to summarize the situation on src:linux side about this: In Debian bookworm with the 6.1.y based kernel we do *not* set SUNRPC_DISABLE_INSECURE_ENCTYPES which would disable the deprecated encryption types include DES-CBC-MD5, DES-CBC-CRC, and DES-CBC-MD4. More concretely so we have in 6.1 for bookworm the following enabled: /* * NB: This list includes encryption types that were deprecated * by RFC 8429 and RFC 6649. * * ENCTYPE_AES256_CTS_HMAC_SHA1_96 * ENCTYPE_AES128_CTS_HMAC_SHA1_96 * ENCTYPE_DES3_CBC_SHA1 * ENCTYPE_DES_CBC_MD5 * ENCTYPE_DES_CBC_CRC * ENCTYPE_DES_CBC_MD4 */ #define KRB5_SUPPORTED_ENCTYPES "18,17,16,3,1,2" For the kernel upcoming in Debian trixie the situation changes. There is an important change on this respect upstream with https://git.kernel.org/linus/dfe9a123451a6e73306c988eab3dab12df001677 in 6.3-rc1 (support for RPCSEC_GSS_KRB5_ENCTYPES_DES got removed in 6.6-rc1). RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA1 get enabled by default so we have that in trixie. For 6.12.y as we have in trixie though we did so far not enable RPCSEC_GSS_KRB5_ENCTYPES_AES_SHA2 to support the enctypes based on AES and SHA-2. I did reassign this bug to add this support and it is pending first for the experimental branch, but marked to be backported as well for the version which we aim to have in trixie. As a side note, I think it would be good to have this as test case in the src:nfs-utils autopkgtests, https://salsa.debian.org/kernel-team/nfs-utils/-/tree/debian/latest/debian/tests?ref_type=heads need to look how we could do that. Thanks for having reported this. Regards, Salvatore
