[OpenAFS] Questions about AFS security

[Patrick J. LoPresti]

Derek Atkins <warlord@MIT.EDU> writes:

> Pat, using krb524 does not open you up to the offline password
> guessing attackes because krb524d is just another v5 service.  You
> need to supply a valid v5 ticket before it will give you a v4
> ticket.

Ah, OK, that makes sense.  I was under the (mistaken) impression that
krb524 was how v4 clients authenticated against a v5 server.  So now I
take it that such clients talk to the KDC directly using some
backwards-compatibility mode, and that I can disable that on the KDC
if we have no v4 clients?

Also, I am still a tad confused on the Windows story.  I thought that
the current OpenAFS Windows distribution installs a v4 klog, and hooks
it in to the Windows logon process.  Is this not the case?

 - Pat