Thanks for the info. My colleague who runs our AFS system has had a couple of exchanges with the openafs-info list. I think that's where we originally heard about the allow_weak_crypto issue, which certainly is inconvenient. But I was thinking more about the Kerberos side of things though they are obviously intertwined.
The things that have to do with AFS in some way are mostly either old systems/applications that mount AFS with an older AFS client, or (also old) web servers/applications that have homegrown authentication modules that use kaserver. We're currently engaged in a process of identifying them and either migrating to newer solutions or retiring them. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Jeff Blaine > Sent: Thursday, April 12, 2012 10:25 AM > To: [email protected] > Subject: Re: Kerberos upgrade logistics > > On 4/12/2012 9:45 AM, Jim Green wrote: > > At Michigan State, I am leading a project to upgrade our MIT Kerberos > > central authentication service from version 1.6.3 to 1.10.1. We will > > be dropping support for the Kerberos 4 protocol. We are a long-time > > AFS site and most of the systems we've been able to identify that > > still rely on Kerberos 4 are related to AFS in some way. > > Need much more detail re: "in some way" > > Also, 100% OpenAFS? Or ridiculously ancient boxes still running IBM > AFS? > > You're better off posting this to openafs-info, IMO. The only > significant thing of note that I can think of regarding AFS and MIT > krb5 1.6.3 --> 1.10.1 is the requirement that krb5.conf include a new > "allow_weak_crypto = true" setting, to satiate the current requirement > for the "afs/cellname" principal's key to be of type des-cbc-crc:v4 > > http://docs.openafs.org/QuickStartUnix/ch01s03.html#Header_20 > > http://docs.openafs.org/QuickStartUnix/apb.html#KAS001 > > > The main drivers for this are are a) desire to support account > lockout > > for some users; b) desire to end-of-life Kerberos 4 support as > > recommended in MIT's Kerberos 4 end of life announcement > > (http://web.mit.edu/kerberos/krb4-end-of-life.html). > > > > I am interested in communicating with folks that have been down this > > path, if anyone has. Anyone know of any medium to large research > > institutions running Kerberos 1.7.x or higher? If so, I'd appreciate > > contact information. And, anyone, please chime in if there's some > > reason you know about that makes this idea totally crazy. Thanks. > > > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
