Kerberos upgrade logistics
Jeff Blaine
jblaine at kickflop.net
Thu Apr 12 10:25:09 EDT 2012
On 4/12/2012 9:45 AM, Jim Green wrote:
> At Michigan State, I am leading a project to upgrade our MIT Kerberos
> central authentication service from version 1.6.3 to 1.10.1. We will be
> dropping support for the Kerberos 4 protocol. We are a long-time AFS site
> and most of the systems we've been able to identify that still rely on
> Kerberos 4 are related to AFS in some way.
Need much more detail re: "in some way"
Also, 100% OpenAFS? Or ridiculously ancient boxes still running
IBM AFS?
You're better off posting this to openafs-info, IMO. The only
significant thing of note that I can think of regarding AFS
and MIT krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf
include a new "allow_weak_crypto = true" setting, to satiate
the current requirement for the "afs/cellname" principal's
key to be of type des-cbc-crc:v4
http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20
http://docs.openafs.org/QuickStartUnix/apb.html#KAS001
> The main drivers for this are are a) desire to support account lockout for
> some users; b) desire to end-of-life Kerberos 4 support as recommended in
> MIT's Kerberos 4 end of life announcement
> (http://web.mit.edu/kerberos/krb4-end-of-life.html).
>
> I am interested in communicating with folks that have been down this path,
> if anyone has. Anyone know of any medium to large research institutions
> running Kerberos 1.7.x or higher? If so, I'd appreciate contact
> information. And, anyone, please chime in if there's some reason you know
> about that makes this idea totally crazy. Thanks.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list