Kerberos upgrade logistics

Jim Green jfgreen at msu.edu
Thu Apr 12 13:04:38 EDT 2012


Thanks for the info.  My colleague who runs our AFS system has had a couple
of exchanges with the openafs-info list.  I think that's where we originally
heard about the allow_weak_crypto issue, which certainly is inconvenient.
But I was thinking more about the Kerberos side of things though they are
obviously intertwined.

The things that have to do with AFS in some way are mostly either old
systems/applications that mount AFS with an older AFS client, or (also old)
web servers/applications that have homegrown authentication modules that use
kaserver.  We're currently engaged in a process of identifying them and
either migrating to newer solutions or retiring them.

> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Jeff Blaine
> Sent: Thursday, April 12, 2012 10:25 AM
> To: kerberos at mit.edu
> Subject: Re: Kerberos upgrade logistics
> 
> On 4/12/2012 9:45 AM, Jim Green wrote:
> > At Michigan State, I am leading a project to upgrade our MIT Kerberos
> > central authentication service from version 1.6.3 to 1.10.1.  We will
> > be dropping support for the Kerberos 4 protocol.  We are a long-time
> > AFS site and most of the systems we've been able to identify that
> > still rely on Kerberos 4 are related to AFS in some way.
> 
> Need much more detail re: "in some way"
> 
> Also, 100% OpenAFS?  Or ridiculously ancient boxes still running IBM
> AFS?
> 
> You're better off posting this to openafs-info, IMO. The only
> significant thing of note that I can think of regarding AFS and MIT
> krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf include a new
> "allow_weak_crypto = true" setting, to satiate the current requirement
> for the "afs/cellname" principal's key to be of type des-cbc-crc:v4
> 
> http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20
> 
> http://docs.openafs.org/QuickStartUnix/apb.html#KAS001
> 
> > The main drivers for this are are a) desire to support account
> lockout
> > for some users; b) desire to end-of-life Kerberos 4 support as
> > recommended in MIT's Kerberos 4 end of life announcement
> > (http://web.mit.edu/kerberos/krb4-end-of-life.html).
> >
> > I am interested in communicating with folks that have been down this
> > path, if anyone has.  Anyone know of any medium to large research
> > institutions running Kerberos 1.7.x or higher?  If so, I'd appreciate
> > contact information.  And, anyone, please chime in if there's some
> > reason you know about that makes this idea totally crazy.  Thanks.
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list