How to check the supported encryption types in nfs ?

In this article I am going to show how we can find the supported encryption types from nfs server.

You need to go to below path to see the supported encryption types :

cat /proc/fs/nfsd/supported_krb5_enctypes
enctypes=18,17,16,23,3,1,2

It will show you the numbers only kindly find the below mapping with encryption types :

18 -- aes256-cts-hmac-sha1-96
17 -- aes128-cts-hmac-sha1-96
16 -- des3-cbc-sha1-kd
23 -- rc4-hmac
3  -- des-cbc-md5 
1 -- des-cbc-crc 
2 -- des-cbc-md4

Which encryption type your nfs client and servers are using, you can find 
that from tcpdump or from the kerberos logs when the ticket is getting 
generated.

Showing an example from NFS tcpdump to identify which "Encryption type" we 
are using.

Network File System
    [Program Version: 4]
    [V4 Procedure: NULL (0)]
    GSS Context
        GSS Context Length: 4
        GSS Context: 18000000
        [Created in frame: 13]
    GSS Major Status: 0
    GSS Minor Status: 0
    GSS Sequence Window: 128
    GSS Token: 0000009c60819906092a864886f71201020202006f818930...
        GSS Token Length: 156
        GSS-API Generic Security Service Application Program Interface
            OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
            krb5_blob: 02006f8189308186a003020105a10302010fa27a3078a003...
                krb5_tok_id: KRB5_AP_REP (0x0002)
                Kerberos AP-REP
                    Pvno: 5
                    MSG Type: AP-REP (15)
                    enc-part aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)   <<<<<<<<<
                        enc-part: 164eac87c8137e058a30c26f87d4020f13b34621b048b9b4...


If you are facing issue while doing kerbero mount of nfs share, it's good 
practice to see whether you are able to mount the share using keytab 
generated with "all" encryption type instead of any specific one.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s