Kerberos upgrade logistics

Jeff Blaine jblaine at kickflop.net
Thu Apr 12 10:25:09 EDT 2012


On 4/12/2012 9:45 AM, Jim Green wrote:
> At Michigan State, I am leading a project to upgrade our MIT Kerberos
> central authentication service from version 1.6.3 to 1.10.1.  We will be
> dropping support for the Kerberos 4 protocol.  We are a long-time AFS site
> and most of the systems we've been able to identify that still rely on
> Kerberos 4 are related to AFS in some way.

Need much more detail re: "in some way"

Also, 100% OpenAFS?  Or ridiculously ancient boxes still running
IBM AFS?

You're better off posting this to openafs-info, IMO. The only
significant thing of note that I can think of regarding AFS
and MIT krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf
include a new "allow_weak_crypto = true" setting, to satiate
the current requirement for the "afs/cellname" principal's
key to be of type des-cbc-crc:v4

http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20

http://docs.openafs.org/QuickStartUnix/apb.html#KAS001

> The main drivers for this are are a) desire to support account lockout for
> some users; b) desire to end-of-life Kerberos 4 support as recommended in
> MIT's Kerberos 4 end of life announcement
> (http://web.mit.edu/kerberos/krb4-end-of-life.html).
>
> I am interested in communicating with folks that have been down this path,
> if anyone has.  Anyone know of any medium to large research institutions
> running Kerberos 1.7.x or higher?  If so, I'd appreciate contact
> information.  And, anyone, please chime in if there's some reason you know
> about that makes this idea totally crazy.  Thanks.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


More information about the Kerberos mailing list