As indicated in the IBM Redbooks publication "Securing NFS in AIX: An Introduction to NFSv4 in AIX 5L Version 5.3," SG24-7204, NFSv4 currently supports DES and DES3 encryption types. This Technote describes how to set the desired encryption types in AIX NFSv4, and how an administrator could configure some AIX NFSv4 clients to use DES encryption while others make use of DES3 encryption types. There could also be a need to have all of the NFS v4 clients either use only DES or use only Triple DES encryption type while communicating with the AIX NFS v4 Server.
As indicated in the above-mentioned Redbook, Kerberos authentication uses a unique identifier called a "machine principal" to identify hosts. The machine principal is established when configuring a host into a Kerberos realm. The machine principal name is the fully qualified host name prefixed with host/ (for example, host/nfs402.itsc.austin.ibm.com). Another way that Kerberos indirectly identifies a host is through the NFS service principal. (This is the identification of the NFS service running on the host.) The service principal name is the fully qualified host name prefixed with nfs/ (as in nfs/nfs402.itsc.austin.ibm.com). NFS clients using Kerberos authentication identify NFS servers with this service principal. For each NFS server in your KDC environment, you must define a principal of type nfs/<full_qualified_hostname>@REALM, for example: nfs/nfs404.itsc.austin.ibm.com@REALM1.ITSC.AUSTIN.IBM.COM
Important: The encryption types associated with the NFSv4 server's service principal in your KDC environment (described above) and the default_tgs_enctypes section in the /etc/krb5/config.krb5 file of the NFSv4 client machine together determine the encryption type that will be used for communication.
When you create the NFS service principal using the IBM NAS kadmin command (along with the corresponding entry in the keytab file), be careful because this principal creation process will determine the encryption type that will be supported by that particular NFS v4 server.
- If you create the NFS service principal with only DES enctype, then the corresponding NFS v4 server will support only DES.
- If you create the NFS service principal with only DES3 enctype, then the corresponding NFS v4 server will support only DES3.
- If you create the NFS service principal with both DES and DES3 enctypes, then the NFS v4 server will support both the encryption types. But then you must be careful because the order in which the encryption types are specified determines the priority given by the AIX NFSv4 server.
On the AIX NFSv4 client, if you want the client to make use of:
- DES enctype, then make sure that the default_tgs_enctypes section in the /etc/krb5/config.krb5 file has the des-cbc-crc as its first entry.
- DES3 enctype, then make sure that the default_tgs_enctypes section in the /etc/krb5/config.krb5 file has the des3-cbc-sha1 as its first entry.
If the AIX NFSv4 administrator wants the NFSv4 client and the NFSv4 server to securely communicate explicitly using only Triple DES enctypes, then they need to create the nfs/hostname server principal with DES3 enctype (that is, des3-cbc-sha1), along with the corresponding entry in the keytab file (using kadmin interface) and have DES3 (des3-cbc-sha1) as the first entry in the default_tgs_enctypes section of the /etc/krb5/krb5.conf file on the NFS v4 client machine.
Note: In this case the NFSv4 server will only accept DES3 access and may result in problems with some NFSv4 clients not supporting DES3. It assumes that the administrator is making use of the default salt type.
This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment.