0

I am using NFSv4 with sec=krb5p encryption enabled on a CentOS 7 client & server. My NFS shares mount flawlessly at boot-time, and when I query my keytab file I am able to view the list of available ciphers, as so...

# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/fqdn.host.name@ADS (des-cbc-crc)
   3 nfs/fqdn.host.name@ADS (des-cbc-md5)
   3 nfs/fqdn.host.name@ADS (arcfour-hmac)
   3 nfs/fqdn.host.name@ADS (aes256-cts-hmac-sha1-96)
   3 nfs/fqdn.host.name@ADS (aes128-cts-hmac-sha1-96)

This is wonderful, and I'm happy that I am able to securely employ NFSv4 with end-to-end encryption using Kerberos 5 authentication and even limit which ciphers are available, or exclude "weak ciphers" via the /etc/krb5.conf file. Now that it's "working", I'd sure like to be able to verify that my client hasn't defaulted to a weak encryption cipher like "des-cbc-crc", or better yet confirm that my client IS using "aes256-cts-hmac-sha1-96" encryption! I don't seem to be able to find this functionality in any of my Kerberos package utilities.

Is there a way to determine WHICH cipher is being used to secure an existing NFS mount?

Will
  • 11
  • 4
  • Get the package capture of the handshake on the wire and look at it with Wireshark. You should see which cipher peers have agreed to use. – kofemann Apr 07 '22 at 20:44
  • What kernel version does CentOS 7 have? (Or more specifically, what kernel version does _your system_ have?) Note though that the Kerberos session keys may use a different enctype than the long-term keys. – user1686 Apr 08 '22 at 17:13
  • NFS server and clients are on "kernel-3.10.0-1160.59.1.el7.x86_64". So strange that the only way to determine the enctype on a given NFS session would be to sniff network traffic... using the krb5p option is to prevent "snoopers" from "snooping" in the first place. – Will Apr 08 '22 at 20:39

0 Answers0