heads up regarding 6548599 putback
Date: Fri, 9 Nov 2007 11:47:14 -0600 From: Will Fiveash <William.Fiveash at sun dot com> To: onnv-gate at onnv dot eng dot sun dot com Subject: heads up regarding 6548599 putback Unless you are in the Kerberos Early Adopters program or otherwise know that you are using NFS sec=krb5* mounts with a AES Kerberos enctype you can probably stop reading this. The putback for: 6548599 AES encrypt function in kmech_krb5 is broken for 16 byte input, causes NFSsec interop problems breaks backwards compatibility with earlier versions of the Kerberos kernel module that do not have the fix when doing NFS sec=krb5* with a Kerberos AES enctype key. The criteria for affected systems are: 1. They are running S10 or higher. 2. They are using a NFS share where sec is any of krb5, krb5i or krb5p. 3. The Kerberos enctype is either aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 (use klist -e to see the enctype on the NFS client side, klist -ke to see the NFS service key enctypes). Note that S9 and earlier systems are not affected at all by this since they do not support the AES Kerberos enctype key. The two strategies for dealing with this are to update all systems, client and servers with the fix or temporarily downgrade the NFS service principal keys until all dependent NFS clients and servers are patched. To downgrade, have the NFS server administrator add a new set of NFS service principal keys for the NFS server that do not contain AES keys to the /etc/krb5/krb5.keytab file. The administrator then waits for the NFS service tickets acquired by the NFS clients to expire (usually one week) then apply the patch on the server and clients (this does not have to happen simultaneously). Once all the clients and the server are patched then the administrator adds another set of krb keys for the server this time including AES enctype keys. Example of downgrading (assuming the NFS service principal has AES keys in the keytab already, nfsserv.central is the example NFS server host): kadmin -k -p nfs/nfsserv.central.sun.com -q 'ktadd -e arcfour-hmac-md5:normal -e des3-cbc-sha1-kd:normal -e des-cbc-md5:normal nfs/nfsserv.central.sun.com' To restore AES support on NFS server: kadmin -k -p nfs/nfsserv.central.sun.com -q 'ktadd nfs/nfsserv.central.sun.com' For the S10 version of the fix, check with Peter Shoults <Peter.Shoults at Sun dot COM>. ~-- Will Fiveash Sun Microsystems Office x64079/512-401-1079 Austin, TX, 78727 (TZ=CST6CDT), USA Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay Info about krb-diag: http://kerberos.sfbay/krb-tool-info.html
on 2009/11/24 14:23