[OpenAFS] Authenticating against MIT Kerberos 5 version 1.3.1
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 09 Feb 2004 16:09:20 -0500
On Monday, February 09, 2004 15:35:38 -0500 Kevin <openafs@gnosys.biz>
wrote:
> I have built AFS and Kerberos, installed and tested kerberos (everything
> non-AFS is fine), made the afs key (afs/fqhn@REALM) (or should it be---as
> I saw in Jan 2002---afs/cellname@REALM) and even insmod'd the afs module
It should be afs@REALM, or afs/cell.name@REALM.
> into my kernel (so far so good, but does that module really taint the
> kernel? I thought OpenAFS was open source...).
It is, but it's not GPL, and the Linux kernel folks are pedantic.
> Since Jan 2002, it seems to me that alot must have changed. I have Ken
> Hornstein's migration kit, but the latest version I could find was 2.0
> (afs-krb5-2.0.tar.gz) from March 2003. However, the sources in it won't
> build for me against a fresh build of kerberos 5 v1.3.1 and openafs
> 1.2.11. I get the following error messages:
AFAIK, that's the latest version. But a lot _has_ changed in krb5 since
then. OTOH, the build problem you show is in building 'afs2k5db', which
you don't really care about since you're not planning on using an existing
AFS kaserver database to seed your krb5 realm.
I'd suggest focusing on getting the parts to build that you actually need.
Since you're integrating a new AFS cell into a new Kerberos realm, rather
than migrating an existing cell, you're not going to need several of the
components that are there.
> 1) Is it still true that openafs works only with Kerberos V4 tickets or
> can it now work directly with V5 tickets? (IOW, do I still need to run
> the 524 daemon?)
The answer to this question is a little complicated:
- If you want to use the 'klog' program that comes with AFS, you must run
the fakeka server on your KDC's, and if your AFS database servers are not
the same machines, you must run ka-forwarder on your database servers.
Unless you have users who are used to this functionality, I'd skip it.
- Otherwise, you need a tool like 'aklog', which uses your existing
Kerberos tickets (obtained via kinit or login or however) to obtain AFS
tokens and store them in the kernel. There are three possible variants of
aklog out there:
(1) An entirely v4 version which speaks the V4 protocol.
(2) A V5-aware aklog which uses the krb524 service to translate tickets.
(3) A V5-aware aklog which sets "proposal 2b" tokens directly.
Modern versions of OpenAFS will work with the tokens generated by any of
these three methods. What you will find in the migration kit probably uses
method (2) (I don't recall, but I don't think anyone is shipping an aklog
that uses method 3). With this method, you must be running a krb524d on
your KDC's. The krb524d that comes with Kerberos should be sufficient for
your needs.
> 2) Does openafs support triple-DES yet or is it still only 1des? If
> still only 1des, is it really safe over the internet given that 1des has
> been compromised and can be brute-forced?
First, let's be clear. Yes, the single-DES key space is relatively small
and these days it does not take too much effort to do a brute-force search
of the 2^56 possible keys to see which one is right. No, this does not
mean it "has been compromised" -- that would imply there was some
relatively simple cryptanalytic attack which would allow you to recover a
key in less time than it would take to do a brute-force search of the key
space. I know of no such attack against properly-used DES.
That said, while AFS does use DES for authentication exchanges, it does
_not_ use DES for on-the-wire encryption of data (an optional feature that
most sites do not presently enable). What it actually uses is something
called 'fcrypt', which is a modified variant of DES designed to be faster
on some of the older hardware on which AFS originally ran. Unfortunately,
there _are_ known cryptanalytic attacks against fcrypt. So, if you care
enough about data confidentiality to 'fs setcrypt on', then you might want
to take this into account. Work is underway to enable support for better
crypto.
> 3) Is there some way I can do what Ken's asetkey.c program does using
> only the tools in openafs 1.2.11 and/or MIT Kerberos 5 v1.3.1? I see
> Ken's mention of asetkey in
> https://lists.openafs.org/pipermail/openafs-devel/2002-January/007374.htm
> l, but alas, not being able to build it I cannot use it.
Not trivially. You should probably hack your way past afs2k5db and see if
you can get aklog and asetkey to build.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA