diff options
authorChuck Lever <>2013-03-23 08:09:42 -0400
committerSteve Dickson <>2013-03-25 10:09:10 -0400
commit020fc9855c69f74361a416be357fb882e80dcdd8 (patch)
parent6888d305d8683d178239170794ce8debdaaaacd8 (diff)
gssd: Update description of "-l" option
Move most of the text in the description of the "-l" option up to the DESCRIPTION section, to match what was done for "-n" and "-k". The discussion is then less restricted by formatting, and we can take the space to introduce a few concepts before describing the behavior of rpc.gssd. Fix a few misspellings and grammar issues while here. Acked-by: J. Bruce Fields <> Signed-off-by: Chuck Lever <> Signed-off-by: Steve Dickson <>
2 files changed, 27 insertions, 22 deletions
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index a3292c9..0be2517 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -147,7 +147,7 @@ main(int argc, char *argv[])
limit_to_legacy_enctypes = 1;
- errx(1, "Setting encryption type not support by Kerberos libraries.");
+ errx(1, "Encryption type limits not supported by Kerberos libraries.");
diff --git a/utils/gssd/ b/utils/gssd/
index 1d6fb4c..79d9bf9 100644
--- a/utils/gssd/
+++ b/utils/gssd/
@@ -172,6 +172,27 @@ If
.B rpc.gssd
cannot obtain a machine credential (say, the local system has
no keytab), NFSv4 operations that require machine credentials will fail.
+.SS Encryption types
+A realm administrator can choose to add keys encoded in a number of different
+encryption types to the local system's keytab.
+For instance, a host/ principal might have keys for the
+.BR aes256-cts-hmac-sha1-96 ,
+.BR aes128-cts-hmac-sha1-96 ,
+.BR des3-cbc-sha1 ", and"
+.BR arcfour-hmac " encryption types."
+This permits
+.B rpc.gssd
+to choose an appropriate encryption type that the target NFS server
+These encryption types are stronger than legacy single-DES encryption types.
+To interoperate in environments where servers support
+only weak encryption types,
+you can restrict your client to use only single-DES encryption types
+by specifying the
+.B -l
+option when starting
+.BR rpc.gssd .
.B -f
@@ -193,28 +214,12 @@ The default value is
.IR /etc/krb5.keytab .
.B -l
+When specified, restricts
.B rpc.gssd
-to limit session keys to Single DES even if the kernel supports stronger
-encryption types. Service ticket encryption is still governed by what
-the KDC believes the target server supports. This way the client can
-access a server that has strong keys in its keytab for ticket decryption
-but whose kernel only supports Single DES.
-The alternative is to put only Single DES keys in the server's keytab
-and limit encryption types for its principal to Single DES on the KDC
-which will cause service tickets for this server to be encrypted using
-only Single DES and (as a side-effect) contain only Single DES session
-This legacy behaviour is only required for older servers
-(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos
-implementation and nfs-utils it will work just fine with stronger
-.B Note:
-This option is only available with Kerberos libraries that
-support setable encryption types.
+to sessions to weak encryption types such as
+.BR des-cbc-crc .
+This option is available only when the local system's Kerberos library
+supports settable encryption types.
.BI "-p " path