[OpenAFS] kaserver deperecation, OpenAFS future, etc...
Jeffrey Altman
jaltman@secure-endpoints.com
Thu, 19 Oct 2006 00:57:29 -0400
This is a cryptographically signed message in MIME format.
--------------ms040607020806010106090004
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Jeff:
I don't know if there was ever an official statement made
by the Elders regarding the deprecation of kaserver but
since before I became a Gatekeeper in 2003 I have seen
discussion of the deprecation of "kaserver". Google searches
for "kaserver deprecated" reveal presentations and discussions
using "deprecated" going as far back as 2002.
Efforts to support Kerberos 5 for AFS authentication have been
underway since May 1999 when Ken Hornstein issued the first of
his Kerberos 5 migration kits.
The kaserver situation became worrisome in March 2003 when a
significant Kerberos 4 crossrealm vulnerability was discovered.
This was published as security advisory OPENAFS-SA-2003-001
which can be found at http://www.openafs.org/security.
Then in May 2003 NIST announced the withdrawl of FIPS 43-3 "Data
Encryption Standard (DES)" as well as the associated FIPS 74 and
FIPS 81.
Then in July 2003 MIT announced the end of life of the Kerberos 4
protocol. A copy of that announcement can be found at
http://web.mit.edu/kerberos/krb4-end-of-life.html.
At every AFS & Kerberos Best Practice Workshop since then we have
discussed the need for Kerberos 5 integration and migration. In
particular, it has been stated as part of the "State of OpenAFS"
workshop presentations that OpenAFS 2.0 would be the version that was
Kerberos 5 complete.
http://www-conf.slac.stanford.edu/AFSBestPractices/Slides/StateofOAFS.pdf
Since then the OpenAFS gatekeepers and the development community
have continued to strengthen the support for Kerberos 5. By 1.2.11
protocol support for the use of Kerberos 5 tickets within the rxkad
security class was complete for all of the Kerberos 5 DES enctypes.
As part of the OpenAFS 1.4 series integrated support for aklog
and asetkey as well as support for the large Kerberos 5 tickets
generated by Microsoft's Active Directory were added.
With 1.4, OpenAFS is finally at the point where it can be used with
Kerberos 5 KDCs without any externally supported packages other than
the Kerberos 5 library. Either MIT or Heimdal Kerberos 5 libraries
can be used to build the support tools. For the KDC, you can use any
Kerberos 5 KDC implementation.
The one thing that OpenAFS is still lacking is protocol support
for enctypes other than single DES. That hole is being filled by
the rxk5 security class being implemented by Marcus Watts (UMich)
and Matt Benjamin (LinuxBox).
You asked about a roadmap. Unfortunately, if you look at the
OpenAFS Roadmap web page the only thing that is on it is a
pointer to the OpenAFS for Windows Status Report which contains
a roadmap for the Windows client. Its really hard to specify
a roadmap when the Gatekeepers do not control the resources being
used to complete the projects listed on the OpenAFS Projects page,
http://www.openafs.org/projects.html.
The Gatekeepers and the Elders are the ones who make the decisions
regarding what the future will hold. One of our responsibilities
is to ensure that those who use AFS and expect it to be secure
will have their expectations met. Single DES is on the way out.
It simply is not strong enough to withstand attacks forever. Every
day I fear I am going to wake up and discover that someone has
published an attack which allows DES keys to be cracked in under a
day with available hardware. Given the number of bots controlled
by organized crime I would not be surprised if they didn't have this
ability already. Regardless of whether it is next week or next year
the days that we can rely on single DES for authentication and
encryption are numbered.
The U.S. government requires exceptions to permit the continued
use of single DES. Microsoft is rumored to be disabling the support
for single DES in Vista. DES is history and with it Kerberos 4 and
kaserver must be shown the door. To do anything else would be to
place OpenAFS users at risk.
The 2004, 2005, and 2006 workshops all contained presentations from
various organizations on how to migrate your cell to Kerberos 5.
The 2005 and 2006 workshops even had one day tutorials on Kerberos 5
installation, configuration, and administration. The purpose of this
message is clear. kaserver is dead and Kerberos 5 is the direction
the community is heading. We don't want to leave you in a lurch.
Instead we have done our best to get the message out and to provide
as much assistance as a community can to ensure that your conversion
to Kerberos 5 will be a success.
2004: http://www-conf.slac.stanford.edu/AFSBestPractices
2005: http://www.pmw.org/afsbpw05/
2006: http://www.pmw.org/afsbpw06/
I am sorry if this is a surprise to you especially given the
fact that MITRE manages three federally funded research and
development centers that focus on defense and intelligence
gathering. Of all the organizations that should be concerned
about removing kaserver and single DES support from AFS I
would have expected MITRE to be at the top of the list. I know
that doing so is a priority for many other Federal Agencies
and Research organizations.
Jeffrey Altman
Secure Endpoints Inc.
OpenAFS Gatekeeper / Elder
Jeff Blaine wrote:
> I keep picking up little bits of information that really
> alarm me.
>
> This weeks was:
>
> Response to a user with 1.4.1 kaserver issues under Solaris:
>
> "kaserver is not being actively developed. In fact,
> it is considered deprecated and I strongly recommend
> that kaserver be replaced with a Kerberos 5 KDC."
>
> Is there anything else I can be made aware of ahead of
> time? Is there a roadmap that is kept up to date with
> these decisions? Where are these decisions being made?
>
> Somewhere kaserver got 'deprecated' and it is now "strongly
> recommended" that people run Kerberos 5 KDCs?
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--------------ms040607020806010106090004
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEBW00lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC19SD7DncCP/+wfQlLzAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0o
fGCucDfcQbSIrkhHD9z4TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U
8uN3kLyqXAFIGWKO8DJVGTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0
ma0H7PiFJ2kLfOf///07E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCD
A9bNErMiOXA3dudaNNzXlN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQQFAAOBgQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4Vbo
pA7BAR4ihAPibv7j7ZaxmyMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03v
L3EVETiGFqTB2sLp5MLc6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAxcwggKAoAMCAQICEBW0
0lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloXDTA3MDUyNzIyMDMzMlow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC19SD7DncCP/+wfQlL
zAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0ofGCucDfcQbSIrkhHD9z4
TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U8uN3kLyqXAFIGWKO8DJV
GTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0ma0H7PiFJ2kLfOf///07
E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCDA9bNErMiOXA3dudaNNzX
lN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOB
gQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4VbopA7BAR4ihAPibv7j7Zax
myMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03vL3EVETiGFqTB2sLp5MLc
6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIID
YAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
FbTSUrChYle3zBuZOXUzSTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNjEwMTkwNDU3MjlaMCMGCSqGSIb3DQEJBDEWBBR0Mr4I
dCTPnyhRGY8QNBlWH/ygozBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYB
BAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECEBW00lKwoWJXt8wbmTl1M0kwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEBW00lKwoWJXt8wbmTl1M0kwDQYJ
KoZIhvcNAQEBBQAEggEAF+Yr3/phxDyAzg7gUC8142lNy6Stl0RCx3YtH0G/LeIvG2XnIW76
+JHL2I3cN1glmrkzFN3sMv735ExA+ne5LhHJrsx2u5aAXRLxqwesTeqCTUP7jHp+ifI+CNxe
KGWl+M8ao4UxRxsdNLb8DjSwyv0VKIP8jdA3+n+Q8nS5HZHfQj3OZ3J9J4Wn9eKv4U4SdRu5
YoxkV56uXQ34/r7vhTK8LpQOCKhUAbjGhBDDLBZNsdB2cxsyPfVfNyjeAqer516pptH76FkL
V5WbS3K0UC+NS1CWYoBCMOeVBos8wssTkKEOeC+tfOvCNZ4mBW8qjRcvqWFuC4OEGSse6zAy
6wAAAAAAAA==
--------------ms040607020806010106090004--