[OpenAFS] MIT Kerberos v4 aklog on Windows - I propose removing it for 1.6
Jeffrey Altman
jaltman@secure-endpoints.com
Sat, 20 Nov 2010 15:50:05 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig90022F4984E96A0742093D38
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
<tt>Since 1.3.50 OpenAFS for 32-bit Windows has included a version
of aklog.exe that supports a -4 option that performs a pure
Kerberos v4 service ticket acquisition.=C2=A0 This functionality is=
not
present on 64-bit Windows because there are is not 64-bit
implementation of MIT Kerberos v4 (krbv4w32.dll).=C2=A0 The MIT
Kerberos v4 implementation has not been under active development
since 2004 and over the course of the last several years every
Kerberos distribution has stopped shipping Kerberos v4.<br>
<br>
There has not been significant reason to remove this functionality
from OpenAFS for Windows up to this point.=C2=A0 The code was alrea=
dy
written and (at least on 32-bit Windows) it continued to build.=C2=A0=
However, there are two significant changes to the OpenAFS code
base that are going to make on-going inclusion of this
functionality challenging:<br>
<br>
=C2=A01. In order to support the Heimdal Kerberos implementation on=
Windows as well as MIT Kerberos within the same binaries OpenAFS
must switch to building against an implementation independent
Kerberos SDK.=C2=A0 This SDK does not contain any support for Kerbe=
ros
v4.<br>
<br>
=C2=A02. There has been an on-going effort over the last several ye=
ars
to clean up the OpenAFS source tree and make more efficient use of
the limited developer resources.=C2=A0 As part of that effort, Simo=
n
Wilkinson and others have replaced the OpenAFS crypto and platform
compatibility utility functions with the much better
implementations found in the Heimdal hcrypto and roken libraries.=C2=
=A0
The roken functionality interacts quite poorly with the MIT
Kerberos for Windows headers.<br>
<br>
I know that there are still a number of sites (unfortunately) that
are still relying on kaserver.=C2=A0 I would assume that these site=
s do
not install MIT Kerberos for Windows and therefore do not use the
"aklog -4" functionality.=C2=A0 Are there any sites left that are s=
till
using non-kaserver Kerberos v4 and which do install MIT Kerberos
for Windows to obtain ticket granting tickets?=C2=A0 I suspect ther=
e
aren't because those sites would be jumping through hoops
attempting to support 64-bit Windows.<br>
<br>
In any case, I propose that this functionality be removed in the
coming months as part of the 1.6 series release.<br>
Any objections?<br>
<br>
Jeffrey Altman<br>
<br>
</tt>
</body>
</html>
--------------enig90022F4984E96A0742093D38
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJM6DSAAAoJENxm1CNJffh4NKoIALXOdATJjHz2uBAZ/nTZXhpn
4mPGdHcHNpAyIkv1Q55ZCUbH/2sUVlaJV3Fy8uF/I4ee5GCKq/Qq0ItxcJ1SIEfn
LJv24uM9nCNHRQnhENVZWQE232UGIHDdjjYd4GvNDRp3AcRuEmfddsNIxkss3kb3
JlKeRicZ2LDTSFjRQ3+0ZXFwGj0CD6t+fBVGL/hwDngL9Kf530/CRQ1oB4BL5qHX
tyx2id6SHssbiH06aqrD9Iv47xiy1CBhw3AIirdK5f87CD4GNOqtUV2ZxWpiZc/V
t80DPOs3qLlFlI7yAJvYZoMMb+cvz+9DzWSHxbgXW7Jq1MH5gotjaEsFF9y3xSs=
=CbAX
-----END PGP SIGNATURE-----
--------------enig90022F4984E96A0742093D38--