Which Cipher Is Being Used To Encrypt NFSv4 With "sec=krb5p"?

Will

8/6/23, 11:03 PM

I am using NFSv4 with sec=krb5p encryption enabled on a CentOS 7 client & server. My NFS shares mount flawlessly at boot-time, and when I query my keytab file I am able to view the list of available ciphers, as so...

# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------------------------------------
   3 nfs/fqdn.host.name@ADS (des-cbc-crc)
   3 nfs/fqdn.host.name@ADS (des-cbc-md5)
   3 nfs/fqdn.host.name@ADS (arcfour-hmac)
   3 nfs/fqdn.host.name@ADS (aes256-cts-hmac-sha1-96)
   3 nfs/fqdn.host.name@ADS (aes128-cts-hmac-sha1-96)

This is wonderful, and I'm happy that I am able to securely employ NFSv4 with end-to-end encryption using Kerberos 5 authentication and even limit which ciphers are available, or exclude "weak ciphers" via the /etc/krb5.conf file. Now that it's "working", I'd sure like to be able to verify that my client hasn't defaulted to a weak encryption cipher like "des-cbc-crc", or better yet confirm that my client IS using "aes256-cts-hmac-sha1-96" encryption! I don't seem to be able to find this functionality in any of my Kerberos package utilities.

Is there a way to determine WHICH cipher is being used to secure an existing NFS mount?

0 + 0

encryption

nfs

kerberos

nfs4

centos7

kofemann

8/7/23, 8:44 PM

Get the package capture of the handshake on the wire and look at it with Wireshark. You should see which cipher peers have agreed to use.

user1686

8/8/23, 5:13 PM

What kernel version does CentOS 7 have? (Or more specifically, what kernel version does _your system_ have?) Note though that the Kerberos session keys may use a different enctype than the long-term keys.

Will

8/8/23, 8:39 PM

NFS server and clients are on "kernel-3.10.0-1160.59.1.el7.x86_64". So strange that the only way to determine the enctype on a given NFS session would be to sniff network traffic... using the krb5p option is to prevent "snoopers" from "snooping" in the first place.