[OpenAFS] kaserver deperecation, OpenAFS future, etc...
Thu, 19 Oct 2006 00:57:29 -0400
This is a cryptographically signed message in MIME format.
Content-Type: text/plain; charset=ISO-8859-1
I don't know if there was ever an official statement made
by the Elders regarding the deprecation of kaserver but
since before I became a Gatekeeper in 2003 I have seen
discussion of the deprecation of "kaserver". Google searches
for "kaserver deprecated" reveal presentations and discussions
using "deprecated" going as far back as 2002.
Efforts to support Kerberos 5 for AFS authentication have been
underway since May 1999 when Ken Hornstein issued the first of
his Kerberos 5 migration kits.
The kaserver situation became worrisome in March 2003 when a
significant Kerberos 4 crossrealm vulnerability was discovered.
This was published as security advisory OPENAFS-SA-2003-001
which can be found at http://www.openafs.org/security.
Then in May 2003 NIST announced the withdrawl of FIPS 43-3 "Data
Encryption Standard (DES)" as well as the associated FIPS 74 and
Then in July 2003 MIT announced the end of life of the Kerberos 4
protocol. A copy of that announcement can be found at
At every AFS & Kerberos Best Practice Workshop since then we have
discussed the need for Kerberos 5 integration and migration. In
particular, it has been stated as part of the "State of OpenAFS"
workshop presentations that OpenAFS 2.0 would be the version that was
Kerberos 5 complete.
Since then the OpenAFS gatekeepers and the development community
have continued to strengthen the support for Kerberos 5. By 1.2.11
protocol support for the use of Kerberos 5 tickets within the rxkad
security class was complete for all of the Kerberos 5 DES enctypes.
As part of the OpenAFS 1.4 series integrated support for aklog
and asetkey as well as support for the large Kerberos 5 tickets
generated by Microsoft's Active Directory were added.
With 1.4, OpenAFS is finally at the point where it can be used with
Kerberos 5 KDCs without any externally supported packages other than
the Kerberos 5 library. Either MIT or Heimdal Kerberos 5 libraries
can be used to build the support tools. For the KDC, you can use any
Kerberos 5 KDC implementation.
The one thing that OpenAFS is still lacking is protocol support
for enctypes other than single DES. That hole is being filled by
the rxk5 security class being implemented by Marcus Watts (UMich)
and Matt Benjamin (LinuxBox).
You asked about a roadmap. Unfortunately, if you look at the
OpenAFS Roadmap web page the only thing that is on it is a
pointer to the OpenAFS for Windows Status Report which contains
a roadmap for the Windows client. Its really hard to specify
a roadmap when the Gatekeepers do not control the resources being
used to complete the projects listed on the OpenAFS Projects page,
The Gatekeepers and the Elders are the ones who make the decisions
regarding what the future will hold. One of our responsibilities
is to ensure that those who use AFS and expect it to be secure
will have their expectations met. Single DES is on the way out.
It simply is not strong enough to withstand attacks forever. Every
day I fear I am going to wake up and discover that someone has
published an attack which allows DES keys to be cracked in under a
day with available hardware. Given the number of bots controlled
by organized crime I would not be surprised if they didn't have this
ability already. Regardless of whether it is next week or next year
the days that we can rely on single DES for authentication and
encryption are numbered.
The U.S. government requires exceptions to permit the continued
use of single DES. Microsoft is rumored to be disabling the support
for single DES in Vista. DES is history and with it Kerberos 4 and
kaserver must be shown the door. To do anything else would be to
place OpenAFS users at risk.
The 2004, 2005, and 2006 workshops all contained presentations from
various organizations on how to migrate your cell to Kerberos 5.
The 2005 and 2006 workshops even had one day tutorials on Kerberos 5
installation, configuration, and administration. The purpose of this
message is clear. kaserver is dead and Kerberos 5 is the direction
the community is heading. We don't want to leave you in a lurch.
Instead we have done our best to get the message out and to provide
as much assistance as a community can to ensure that your conversion
to Kerberos 5 will be a success.
I am sorry if this is a surprise to you especially given the
fact that MITRE manages three federally funded research and
development centers that focus on defense and intelligence
gathering. Of all the organizations that should be concerned
about removing kaserver and single DES support from AFS I
would have expected MITRE to be at the top of the list. I know
that doing so is a priority for many other Federal Agencies
and Research organizations.
Secure Endpoints Inc.
OpenAFS Gatekeeper / Elder
Jeff Blaine wrote:
> I keep picking up little bits of information that really
> alarm me.
> This weeks was:
> Response to a user with 1.4.1 kaserver issues under Solaris:
> "kaserver is not being actively developed. In fact,
> it is considered deprecated and I strongly recommend
> that kaserver be replaced with a Kerberos 5 KDC."
> Is there anything else I can be made aware of ahead of
> time? Is there a roadmap that is kept up to date with
> these decisions? Where are these decisions being made?
> Somewhere kaserver got 'deprecated' and it is now "strongly
> recommended" that people run Kerberos 5 KDCs?
> OpenAFS-info mailing list
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature