[OpenAFS] kaserver deperecation, OpenAFS future, etc...
Thu, 19 Oct 2006 03:28:50 -0400
Jeffrey Altman wrote:
> I don't know if there was ever an official statement made
> by the Elders regarding the deprecation of kaserver but
> since before I became a Gatekeeper in 2003 I have seen
> discussion of the deprecation of "kaserver". Google searches
> for "kaserver deprecated" reveal presentations and discussions
> using "deprecated" going as far back as 2002.
Actually, if I do a search for "openafs kaserver deprecated"
(without quotes of course), just about the only reasonable
thing I can find is someone from 2005 pleading with the list
for kaserver to not end up silently dropped one day. You
were the responder then too, so I'm guessing this is your
hot button item.
[ Deleted history of Kerberos+AFS and how single-DES blows ]
> The one thing that OpenAFS is still lacking is protocol
> support for enctypes other than single DES.
Anyway, I've used 1.4 with MIT Kerberos, aklog, etc.
I spent weeks poking around at it several months ago. We
*were* well on our way toward a KDC-auth setup in our little
corner. I wouldn't *strongly* recommend it to anyone who
expects users to get tokens automatically when they login.
But usability is of no real concern to security guys.
You assumed I hadn't used it. I'm sorry you spent all that
time typing up that long response. At least it's out there
in the list archives now for reference.
> I am sorry if this is a surprise to you especially given the
> fact that MITRE manages three federally funded research and
> development centers that focus on defense and intelligence
> gathering. Of all the organizations that should be concerned
> about removing kaserver and single DES support from AFS I
> would have expected MITRE to be at the top of the list. I know
> that doing so is a priority for many other Federal Agencies
> and Research organizations.
Such an informative message.
I really appreciate the inclusion of your evaluation of MITRE's
best interests due to someone from a company of 5000+ asking
a question about kaserver's EOL status and curiosity to find
the main official stream of OpenAFS announcements for its
future. Your assessment is dead on. Really. Thank you.
> Jeff Blaine wrote:
>> I keep picking up little bits of information that really
>> alarm me.
>> This weeks was:
>> Response to a user with 1.4.1 kaserver issues under Solaris:
>> "kaserver is not being actively developed. In fact,
>> it is considered deprecated and I strongly recommend
>> that kaserver be replaced with a Kerberos 5 KDC."
>> Is there anything else I can be made aware of ahead of
>> time? Is there a roadmap that is kept up to date with
>> these decisions? Where are these decisions being made?
>> Somewhere kaserver got 'deprecated' and it is now "strongly
>> recommended" that people run Kerberos 5 KDCs?
>> OpenAFS-info mailing list