[OpenAFS-devel] [FYI] Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

[Sam Hartman]

>>>>> "Dean" == Dean Anderson <dean@av8.com> writes:

    Dean> Some AFS sites are still using kerberos 4.  I don't think
    Dean> removing DES from latest Kerb. 5 is going to matter much.  I
    Dean> think AFS doesn't just take the latest Kerberos code,
    Dean> anyway.

No, AFS does not take the latest krb5.
However distributions like Debian, Redhat, and for more complicated reasons  OS X do tend to take MIT Kerberos.

And for example the aklog shipped with AFS does require kerberos
libraries.  So, for example, in an Ubuntu version in the fairly near
future with these defaults, you could get into a situation where aklog
failed unless you changed krb5.conf.

You could also get into a situation where people needed to change their KDCs to enable AFS in a realm.
I think that's actually desired though.

    Dean> Your announcement also affects DCE, btw. I'll forward it to
    Dean> some DCE lists. 
Interesting.
In what way does it affect DCE?
Are there versions of DCE that use modern Kerberos?
Or is it simply the concern that if you use a modern Kerberos client against a DCE realm you may run into trouble?

    Dean> You should also try to consult M$, since
    Dean> Windows is heavily dependent M$ own implementation of DCE,
    Dean> and relies on kerberos underneath it all.  

I doubt the Microsoft folks will have any problems with this.
Microsoft and MIT share RC4 (and with Vista) AES support.  However I'm
sure it will come up at a scheduled interop event in March if not
sooner.


    Dean> Still, I don't see what 


Note that MIT is not proposing removing DES right now.  They are
proposing turning it off by default.
But yes, there is a maintinance cost to keeping DES. It's not huge but it does exist.
So I can see wanting to remove it completely in a future version.



--Sam