These are belated meeting notes MIT's Garry Zacheiss and I collected during
the San Diego USENIX 2000 Kerberos/AFS birds of a feather session held on
Wednesday the 21st of June. Mistakes are mine.
Stephen Wynne
School of Computer Science
Carnegie Mellon University
Kerberos
========
Status Updates
--------------
-- Buffer overruns: a big issue (see notes below). Dan Geer commented
that Rational Purify licensees could volunteer to run it over the
code. Update from Garry Zacheiss: MIT Kerberos developers are
actually running Purify intermittently as problems occur. However,
it's important to keep in mind that it's not a silver bullet.
-- Heimdal: All in agreement: MIT still nervous about Krb4/Krb5 releases;
Heimdal is ready for prime time and imminently useful to the
world. Update from MIT: institution lawyers still hadn't cleared
it for export. No one should count on it happening in the short
term.
-- Microsoft and Products. We have a report supplied by Rainer Schoepf
via USENIX attendee Christoph Martin; both are from Johannes
Gutenberg-Universitaet Mainz. Due to problems with Win/Win2k +
AFS, they've set up a whole realm on Win2k Domain Controllers
serving as KDCs; they're using Network Appliance file servers and
NFS. They confirm basic interoperability with MIT Kerberos;
they've used GSSAPI + Netscape's LDAP. They're also using the
Solaris7 11/99 Kerberos5 update in this domain where they have
SMTP auth deployed. They report the usual problems with porting
various applications to Krb5.
-- Works in Progress: Peter Honeyman gave a rapid-fire report on his
work with PKI/Kerberos interoperability at CITI. They're
developing Kerberizing HTTP (using a separate SSL connection to
KDC). Steve mentioned a related project at CMU:
http://andrew2.andrew.cmu.edu/minotaur/. Peter mentioned "Junk
Keys," the idea of getting certificates for web site
authentication at login time, making them have Kerberos ticket
like expiration times, and destroying them at logout. This
presumes you're only using the certs for authentication and don't
care about them being persistant, which isn't a valid assumption
for all sites and possible uses.
-- Discussion of Solaris8's Kerberos client support. People noted
that Solaris 2.4 - 7 all shipped with K4 client support.
-- SAP is now a major GSSAPI user.
Learning about Kerberos
-----------------------
-- Management -- Getting Started. There was agreement that the
documentation included with the release tended to be pretty good.
We'd also recommend Ken Hornstein's FAQ:
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
-- Development -- Getting Started. See sample_{client,server} in MIT
and KTH distributions. For complex examples, see telnetd/rlogind.
AFSUG/Filesystems
=================
Status Updates
--------------
-- USENIX: An AFS Workshop will be held at the upcoming LISA in December
(see http://www.usenix.org/events/lisa2000/). Participants will be
expected to contribute to the full-day event, which will be led by
MIT's Ted McCabe, the PSC's Esther Filderman, and CMU's Derrick
Brashear. Also, Derrick & Esther will offer an AFS tutorial.
-- WiP: Honeyman's AFS for high speed nets:
http://www.citi.umich.edu/projects/vafs/
-- Michigan's Krb5'ized Samba works.
-- All in agreement: let's support Arla. KTH has added a Krb5
and Milko fulltime staff developer.
-- We discussed Krb5-1.2's upcoming release on 23 June.
(Krb5 1.2.1 has been released at this point.)
-- NFSv4: Peter Honeyman mentioned it briefly and also later in
the conference when he presented a WiP; see
http://www.citi.umich.edu/projects/nfsv4/ for latest news. Garry
suggests seeing http://playground.sun.com/pub/nfsv4/webpage/.
Kerberos Issues
---------------
-- What happened to Krb5 for AFS 3.6? No answer imminent from IBM. Most
recent hints we're getting would seem to be that we shouldn't be
expecting this anytime soon unless some site does the work for them.
AFS Operations Notes
--------------------
-- AFS 3.5 Cache Problems: MIT has seen several cases of Linux client
cache corruption, although significantly fewer than under the
Linux AFS 3.3 contrib port. They've reported them to Transarc, but
hadn't had any exciting news.
-- Backups: some people were moving to ADSM.
-- Some people were reducing the no. of DB servers because UBIK is
pretty inefficient above a certain threshold. Three DB servers is the
minimum you need, and is probably the optimal number. Having
up to 5 would seem reasonable in some cases, and I don't know of
anyone ever having used more than 7.
-- RAID Volume Storage. Some people moving to RAID. RAID 1+0 in S/W
OK; H/W for others. Hint: just move RW volumes to RAID.
MIT has moved to RAID over the course of the last couple of years.
They're using H/W RAID 5. Casual benchmarking we did indicated that
S/W RAID loses to HW RAID a lot for heavy R/W traffic.
Contributed Tools
-----------------
-- Administration tools. Karsten Kuenne's DESY site has a Tcl-based AFS
administration tool to share. He reports: this stuff has to be
cleaned up still, but the arc-aware sudo has been available for quite
some time under /afs/desy.de/project/sudo. You need arc for that
which you can find under /afs/cern.ch/project/afs/arc. He asks
that you please read the CERN (not BSD or GNU) copyright.
-- User enabling tools. MIT has something in their sipb.mit.edu cell, which
is run by the Student Information Processing Board, a student
computer advocacy group at MIT. The code to the program consists
of a kerberized daemon and client, and is shamelessly MIT specific.
Garry and Ted will gladly share it with anyone who's interested.
AFS/Kerberos Community's To Do List
===================================
-- Let's support the Arla open source AFS replacement project
(http://www.stacken.kth.se/projekt/arla/) however our sites can
contribute: i.e. development, bugfixes, etc...
-- Dan points out: Krb4/5 Buffer Lesson: open source doesn't ensure security.
-- Krb5 FTPd fixes critical: get them out there if you're running them!
-- Dan: code auditing proposal -- cross-project code reviewers needed
for widely-shared, security-critical source-bases like Kerberos.
-- On the buffer overruns: Garry's suggests reading Alef1's "Smashing
the Stack For Fun and Profit" paper to get familiar with the cause.
(archived at http://www.securityfocus.com/data/library/P49-14.txt).
-- A note on reverse-engineering: *legal* in U.S. for security purposes.
-- Send your people to USENIX/LISA this year for an intense AFS workshop
or tutorial.
