lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <87zf8hhhf1.fsf@josefsson.org>
Date: Wed, 19 Nov 2025 21:54:42 +0100
From: Simon Josefsson <simon@...efsson.org>
To: Salvatore Bonaccorso <carnil@...ian.org>
Cc: "Tyler W. Ross" <TWR@...erwross.com>,  Scott Mayhew
 <smayhew@...hat.com>,  Trond Myklebust <trondmy@...nel.org>,  Chuck Lever
 <chuck.lever@...cle.com>,  Anna Schumaker <anna@...nel.org>,
  "1120598@...s.debian.org" <1120598@...s.debian.org>,  Jeff Layton
 <jlayton@...nel.org>,  NeilBrown <neil@...wn.name>,  Steve Dickson
 <steved@...hat.com>,  Olga Kornievskaia <okorniev@...hat.com>,  Dai Ngo
 <Dai.Ngo@...cle.com>,  Tom Talpey <tom@...pey.com>,
  linux-nfs@...r.kernel.org,  linux-kernel@...r.kernel.org
Subject: Re: ls input/output error ("NFS: readdir(/) returns -5") on krb5
 NFSv4 client using SHA2

Salvatore Bonaccorso <carnil@...ian.org> writes:

> I'm looping in here the gssproxy maintainer as well. Simon, this is
> about https://bugs.debian.org/1120598 . I assume there is nothing on
> gssroxy side which can be done to warn about the situation, quoting
> again:
>
>> The actual issue at hand then seems to be that gssproxy is requesting (and
>> receiving) a service ticket with an unusable (for the NFS mount) enctype,
>> when performing constrained delegation/S4U2Proxy.
>
> ?

It isn't clear to me if the gssproxy behaviour is buggy or just
sub-optimal, but it seems like gssproxy upstream could develop some
patch to make the enctypes match.  I'm not sure if that is generally a
safe thing, even if it would fix the problem.  Anyway, I think this
looks definitely beyond any Debian-specific concern about gssproxy so I
think some upstream recommendation is needed here, and I don't have a
working NFSv4 gss setup available to debug this.

/Simon

Download attachment "signature.asc" of type "application/pgp-signature" (1252 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ