Kerberos upgrade logistics
Jim Green
jfgreen at msu.edu
Thu Apr 12 13:04:38 EDT 2012
Thanks for the info. My colleague who runs our AFS system has had a couple
of exchanges with the openafs-info list. I think that's where we originally
heard about the allow_weak_crypto issue, which certainly is inconvenient.
But I was thinking more about the Kerberos side of things though they are
obviously intertwined.
The things that have to do with AFS in some way are mostly either old
systems/applications that mount AFS with an older AFS client, or (also old)
web servers/applications that have homegrown authentication modules that use
kaserver. We're currently engaged in a process of identifying them and
either migrating to newer solutions or retiring them.
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Jeff Blaine
> Sent: Thursday, April 12, 2012 10:25 AM
> To: kerberos at mit.edu
> Subject: Re: Kerberos upgrade logistics
>
> On 4/12/2012 9:45 AM, Jim Green wrote:
> > At Michigan State, I am leading a project to upgrade our MIT Kerberos
> > central authentication service from version 1.6.3 to 1.10.1. We will
> > be dropping support for the Kerberos 4 protocol. We are a long-time
> > AFS site and most of the systems we've been able to identify that
> > still rely on Kerberos 4 are related to AFS in some way.
>
> Need much more detail re: "in some way"
>
> Also, 100% OpenAFS? Or ridiculously ancient boxes still running IBM
> AFS?
>
> You're better off posting this to openafs-info, IMO. The only
> significant thing of note that I can think of regarding AFS and MIT
> krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf include a new
> "allow_weak_crypto = true" setting, to satiate the current requirement
> for the "afs/cellname" principal's key to be of type des-cbc-crc:v4
>
> http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20
>
> http://docs.openafs.org/QuickStartUnix/apb.html#KAS001
>
> > The main drivers for this are are a) desire to support account
> lockout
> > for some users; b) desire to end-of-life Kerberos 4 support as
> > recommended in MIT's Kerberos 4 end of life announcement
> > (http://web.mit.edu/kerberos/krb4-end-of-life.html).
> >
> > I am interested in communicating with folks that have been down this
> > path, if anyone has. Anyone know of any medium to large research
> > institutions running Kerberos 1.7.x or higher? If so, I'd appreciate
> > contact information. And, anyone, please chime in if there's some
> > reason you know about that makes this idea totally crazy. Thanks.
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list