[OpenAFS-devel] Kerberos V, KeyFile questions
Garrett Wollman
wollman@khavrinen.lcs.mit.edu
Fri, 14 May 2004 21:29:52 -0400 (EDT)
<<On Fri, 14 May 2004 19:45:36 -0400 (EDT), "Sean O'Malley" <omalleys@msu.edu> said:
> will take at least a year. I would like to dump kerberos IV support
> altogether. I am just wondering about the feasibility of the plan.
We did not make any transition, but we are running a pure-v5
environment with no Kerberos-related problems. There are still a few
issues we'd like to get resolved; most importantly, geting kafs to use
a stronger encryption algorithm than single-DES. (afs is the only
principal in our KDC that has a single-DES key and we'd like to get
disable 1DES entirely.) We do run krb524d, in standalone mode, on the
AFS dbservers to support ticket mangling for Unix clients using
`aklog', and we also run gssklogd but plan to stop now that the
current Windows client and KfW support using v5 tickets directly.
-GAWollman