[OpenAFS] kaserver deperecation, OpenAFS future, etc...

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 19 Oct 2006 09:50:28 -0400

Jeff Blaine wrote:
> Anyway, I've used 1.4 with MIT Kerberos, aklog, etc.
> I spent weeks poking around at it several months ago.  We
> *were* well on our way toward a KDC-auth setup in our little
> corner.  I wouldn't *strongly* recommend it to anyone who
> expects users to get tokens automatically when they login.
> But usability is of no real concern to security guys.

One of the strengths of the Kerberos 5 migration is the
support for fakeka in MIT Kerberos 5 and the integrated
kauth protocol support in Heimdal.  This allows you to
perform the transition without requiring that all of your
clients be updated to support Kerberos 5 out of the box.
The Kerberos 5 + aklog PAM support is certainly one of the
weak areas on particular platforms.  There are active
projects by members of this community to address PAM in
various ways.  The difficulties have as much to do with
the PAM architecture as they have to do with how PAGs work.
Because of the client migration chanllenges, Kerberos 5
transitions are usually phased.

The links to the workshops I provided earlier in this
thread contain several presentations which describe the
steps involved in a migration.

For those installing new cells, the presentations at the
2005 and 2006 workshops on how to setup a new cell using
NetBSD and MacOS X both included the instructions on how
to setup the Kerberos 5 KDC.  The NetBSD presentation used
Heimdal and the MacOS X presentation used MIT Kerberos as
shipped in MacOS X (aka KFM).

There is also extensive discussion of how to use Kerberos
5 with OpenAFS in the Wiki.

Jeffrey Altman