[OpenAFS] kaserver deperecation, OpenAFS future, etc...

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 18 Oct 2006 23:05:40 -0400


(Note: I don't have anything to do with making these decisions; I'm just
giving you my view on things).

>   "kaserver is not being actively developed.  In fact,
>   it is considered deprecated and I strongly recommend
>   that kaserver be replaced with a Kerberos 5 KDC."
>
>Is there anything else I can be made aware of ahead of
>time?  Is there a roadmap that is kept up to date with
>these decisions?  Where are these decisions being made?

This is one of those things that I thought everyone was aware of,
but I guess never formally got communicated.  If you asked me if
kaserver is considered deprecated, I'd say, "Well, if it isn't, it
should be" ... but I don't think the Elders have made a format
statement on that.

it was clear to me from the AFS Best Practices Workshops, the "buzz"
on the mailing lists, and from talking to people that kaserver is
on it's way out.  Given all the security issues surrounding Kerberos
4, and it only supporting single-DES, it's clear it's days are
numbered.  For many years now a number of sites have been using AFS
with a Kerberos 5 KDC, and I think at least one of the RPMs that
are distributed make that the default install for a server.  But ...
if you've never been to an AFS BPW, or spent a lot of time reading
the developer mailing list, then maybe you wouldn't know.  That's
not necessarily wrong, mind you ... I'm just explaining where it
was talked about.  I don't there was a vote, and I don't know if
it was a formal discussion item by the Elders ... I think if you
asked most of the AFS people around, they would all say that there
is a "strong" recommendation to use a Kerberos 5 KDC ... definately
for a new installation.  I don't think we agreed that it was
deprecated, but it was certainly in my mind that no NEW kaserver
installations should be deployed.

I don't think that people are going to break kaserver anytime soon
...  I suspect bugs will be fixed in it for a long time.  But
seriously, there is almost no reason to not upgrade and plenty of
reasons TO upgrade.  If you haven't done it, you should be at least
be thinking about it.

A formal statement by the Elders might be useful here.

--Ken