Initial attempts to get rid of Kerberos 4 have been made as far back as March 2007 (DTF). Reasoning is that the protocol is unmaintained, has theoretical weaknesses and is prone to brute-force attacks against a credential. Kerberos5 has "preauthentiation to prevent exactly this, but currently this is not turned on?

existing users/applications

CERN Linux "kinit"

(acquires Kerberos4 TGTs by default, for use with other services. Not required for login)

CERN Linux pam configuration

(acquires Kerberos4 TGTs by default, for use with other services. Not required for login)

SSH

used via .klogin and SSH-1. Should only get used if no equivalent .k5login exists, or if the user only has a Kerberso4 TGT. Assumes a CERN or ancient SSH client (newer version don';t speak SSH-1 anymore, or at least don't ve the Kereos4 patches).

CVS "kserver"

initial attempt to turn off on Dec 5th but announcement mail hadn't been sent. Now rescheduled for "mid-January 2009", rescheduled to "end Janury"

OpenAFS "klog.krb"

(not much we can do about this - write a "wrapper"?)

Windows OpenAFS client

(needs KfW-addon to use Kerberos5, otherwise can only do Kerberos4).

Unsupported on NICE, as per https://winservices.web.cern.ch/winservices/Help/?kbid=060515 But has a CERN-specific README \\cern.ch\dfs\Applications\IBM\OpenAFS-1.5.39\CERNREADME.txt that explicitly mentions installing and configuring KfW. Short test by John indicates that the Kerberos4 things can be removed without harm, and that the ticket cache contains only a Kerberos5 TGT (and AFS service tcicket).

/etc/srvtab creation

(done by cern-config-keytab, in order to use Kerberos4 authentication against the machine)

Others, to be confirmed

• arc?
• gssklog

Usage Monitoring

• Bernard will look at the KDC logs, these should include a hint whether a Kerberso5 or Kerbeos4 TGT request has been made
• fslogs has SSH logs for most centrally-managed Linux machines, these indicate the authentication method
• firewall logs for afsdb3, ports 88 and 750 ?

Steps & Timeline

• no longer provide Kerberos4 TGTs by default on SLC (modify "kinit" wrapper, modify PAM config ?)
  • FIOscheduled update beginning of Feb?
• no longer create /etc/srvtab on SLC (change cern-config-keytab)
  • FIO scheduled update beginning of Feb?
• firewall port 750 on the KDCs - Rainer: might be used also by K5-clients?
• disallow cvs "kserver" access: announced on 2008-12-11 for end of January, to info-cvs ML