[OpenAFS-devel] [FYI] Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

Dean Anderson dean@av8.com
Fri, 30 Jan 2009 02:18:45 -0500 (EST) 

On Thu, 29 Jan 2009, Sam Hartman wrote:

> And for example the aklog shipped with AFS does require kerberos
> libraries.  So, for example, in an Ubuntu version in the fairly near
> future with these defaults, you could get into a situation where aklog
> failed unless you changed krb5.conf.

Good to know.  OpenAFS probably should make a note of that in release
notes.


>     Dean> Your announcement also affects DCE, btw. I'll forward it to
>     Dean> some DCE lists. 

> Interesting. In what way does it affect DCE? Are there versions of DCE
> that use modern Kerberos? Or is it simply the concern that if you use
> a modern Kerberos client against a DCE realm you may run into trouble?

The OSF distribution contains its own version, based on Kerb4+. There
are some few sites that still run the OSF version.  The OSF dist should
be updated to use K-5 and RSA.  I can see some renewed interest in DCE,
particularly if, say, IBM were to opensource Encina, or something like
that.

There is also freedce, free re-implemenation of the DCE RPC services.  
That may also depend on MIT Kerberos.

M$ can supposedly use a generic Kerberos server. I've never done that on
Windows, so I can't say if or how well it works. But, supposing the
rumor is true, if you change the server incompatibly with the M$
applications, things will break.

>     Dean> You should also try to consult M$, since
>     Dean> Windows is heavily dependent M$ own implementation of DCE,
>     Dean> and relies on kerberos underneath it all.  
> 
> I doubt the Microsoft folks will have any problems with this.
> Microsoft and MIT share RC4 (and with Vista) AES support.  However I'm
> sure it will come up at a scheduled interop event in March if not
> sooner.

Sounds like M$ is handled, then.  I'll have to look at the assigned
values that M$ is using.


>     Dean> Still, I don't see what 
> 
> 
> Note that MIT is not proposing removing DES right now.  They are
> proposing turning it off by default.

So, lets see: you're going to add code to turn it off? Doesn't that cost
money and add maintenance expense?  And having added this code and a new
configuration, then you'll have to test with it turned on and turned
off...that is, if testing covers all configurations.

> But yes, there is a maintinance cost to keeping DES. It's not huge but
> it does exist. So I can see wanting to remove it completely in a
> future version.

Well, I suppose there is some tiny cost to even a single line of code.  
However, it seems more trouble to mess with it than to leave it be.  

You don't have to convince me you're doing the right thing, though.  
I'm reasonably sure I won't be convinced you're doing the right thing
anyway.  But I'm also just about certain that no one is going to fork
Kerberos, either, so it would seem that it doesn't much matter. I'm
actually just tickled to know about this before it was done, instead of
having to figure out later why some legacy app won't work on FC10+, as
is so often the case.  So, thanks for that, and have fun.

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000