[OpenAFS-devel] Kerberos V, KeyFile questions

Douglas E. Engert deengert@anl.gov
Mon, 17 May 2004 10:56:19 -0500


Garrett Wollman wrote:
> 
> <<On Fri, 14 May 2004 19:45:36 -0400 (EDT), "Sean O'Malley" <omalleys@msu.edu> said:
> 
> > will take at least a year. I would like to dump kerberos IV support
> > altogether. I am just wondering about the feasibility of the plan.
> 
> We did not make any transition, but we are running a pure-v5
> environment with no Kerberos-related problems.  There are still a few
> issues we'd like to get resolved; most importantly, geting kafs to use
> a stronger encryption algorithm than single-DES.  (afs is the only
> principal in our KDC that has a single-DES key and we'd like to get
> disable 1DES entirely.)  We do run krb524d, in standalone mode, on the
> AFS dbservers to support ticket mangling for Unix clients using
> `aklog', and we also run gssklogd but plan to stop now that the
> current Windows client and KfW support using v5 tickets directly.

Note that AFS 1.3.64 will still only use DES keys. To do otherwise will
require some major changes to AFS. 1.3.64 added des-cbc-md5 and des-cbc-md4 
to the existing des-cbc-crc as will as allowing ticket large then 344 bytes. 

 

> 
> -GAWollman
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444