TWiki
>
LinuxSupport Web
>
LinuxSupportInternals
>
Kerberos4PhaseOut
(2008-12-11,
JanIven
)
(raw view)
E
dit
A
ttach
P
DF
Initial attempts to get rid of Kerberos 4 have been made as far back as March 2007 (DTF). Reasoning is that the protocol is unmaintained, has theoretical weaknesses and is prone to brute-force attacks against a credential. Kerberos5 has "preauthentiation to prevent exactly this, but currently this is not turned on? ---+ existing users/applications ---+++ CERN Linux "kinit" (acquires Kerberos4 TGTs by default, for use with other services. Not required for login) ---+++ CERN Linux pam configuration (acquires Kerberos4 TGTs by default, for use with other services. Not required for login) ---+++ SSH used via =.klogin= and SSH-1. Should only get used if no equivalent =.k5login= exists, or if the user only has a Kerberso4 TGT. Assumes a CERN or ancient SSH client (newer version don';t speak SSH-1 anymore, or at least don't ve the Kereos4 patches). ---+++ CVS "kserver" initial attempt to turn off on Dec 5th but announcement mail hadn't been sent. Now rescheduled for "mid-January 2009", rescheduled to "end Janury" ---+++ OpenAFS "klog.krb" (not much we can do about this - write a "wrapper"?) ---+++ Windows OpenAFS client (needs KfW-addon to use Kerberos5, otherwise can only do Kerberos4). Unsupported on NICE, as per https://winservices.web.cern.ch/winservices/Help/?kbid=060515 But has a CERN-specific README [[https://dfs.cern.ch/dfs/Applications/IBM/OpenAFS-1.5.39/CERNREADME.txt][\\cern.ch\dfs\Applications\IBM\OpenAFS-1.5.39\CERNREADME.txt]] that explicitly mentions installing and configuring KfW. Short test by John indicates that the Kerberos4 things can be removed without harm, and that the ticket cache contains only a Kerberos5 TGT (and AFS service tcicket). ---+++ /etc/srvtab creation (done by =cern-config-keytab=, in order to use Kerberos4 authentication against the machine) ---+++ Others, to be confirmed * arc? * gssklog ---+ Usage Monitoring * Bernard will look at the KDC logs, these should include a hint whether a Kerberso5 or Kerbeos4 TGT request has been made * =fslogs= has SSH logs for most centrally-managed Linux machines, these indicate the authentication method * firewall logs for afsdb3, ports 88 and 750 ? ---++ Steps & Timeline * no longer provide Kerberos4 TGTs by default on SLC (modify "kinit" wrapper, modify PAM config ?) * FIOscheduled update beginning of Feb? * no longer create =/etc/srvtab= on SLC (change =cern-config-keytab=) * FIO scheduled update beginning of Feb? * firewall port 750 on the KDCs - Rainer: might be used also by K5-clients? * disallow cvs "kserver" access: announced on 2008-12-11 for end of January, to info-cvs ML
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r2
<
r1
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r2 - 2008-12-11
-
JanIven
Log In
LinuxSupport
LinuxSupport Web
LinuxSupport Web Home
Changes
Index
Search
Main
FIOgroup
Cern Search
TWiki Search
Google Search
LinuxSupport
All webs
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use
Discourse
or
Send feedback