On 11/22/2010 2:40 PM, Rick Cochran wrote: > I have just heard that KfW is not being actively maintained. Is this true? > > If so, what implications does it have for OpenAFS? > > -Rick
It is true that MIT has not maintained Kerberos for Windows. There is an alpha of 3.2.3 from a year and a half ago but there has been no active work on support for Windows 7 and Server 2008 and none of the current source trees build on Windows (1.8, 1.9, ...) Secure Endpoints has been supporting KFW for the last three years for our support customers. Private builds containing security fixes and Windows 7 compatibility have been delivered to those sites. Since we cannot count on MIT, Secure Endpoints began a project nearly two years ago to port Heimdal to Windows. This work was announced at the AFS and Kerberos Conference in Pilsen, CZ in September. See my presentations at http://afs2010.civ.zcu.cz/desc.php?name=doe and Love Hörnquist Astrand's presentation http://afs2010.civ.zcu.cz/desc.php?name=heimdal In the coming weeks Secure Endpoints will be announcing that Heimdal on Windows is available for download. There will be several components: 1. A Heimdal side-by-side assembly that provides the core GSS-API and Heimdal Kerberos v5 functionality. 2. A set of command line tools that incorporate the command line functionality of both MIT Kerberos and Heimdal. 3. A set of plug-ins to Heimdal that support the MSLSA and MIT API credential caches. 4. A compatibility SDK that applications can be built against which permit those applications to work with either Heimdal or KFW 3.2.2 or KFW 2.6.5 depending on what is installed on the machine. The Heimdal side-by-side assembly will be preferred. 5. A set of KFW compatible shim libraries that permit applications compiled against KFW to work with the Heimdal assembly. In addition Secure Endpoints will announce an update to Network Identity Manager and the KCA provider that makes use of the compatibility SDK. A patch for OpenAFS that makes use of the compatibility SDK is available in gerrit.openafs.org http://gerrit.openafs.org/#change,2867 Although Secure Endpoints will make downloads of these packages available for free, Secure Endpoints will also make available a pay to use update service. This update service will permit individuals and organizations to ensure that all of their machines have the best version of Heimdal, Network Identity Manager, and OpenAFS installed on their machines. What are the implications for OpenAFS? Over the course of the next year OpenAFS will be making progress on the version 2.0 release which contains the rxgk security class. This security class will bring to OpenAFS GSS-API authentication and AES encryption. In order to make use of this functionality a GSS-API implementation on Windows that supports the GSS PRF will be required. The Heimdal distribution will satisfy that requirement. Therefore, sites that wish to deploy stronger authentication and encryption should begin to make migration plans to convert their users from MIT Kerberos to Heimdal in the coming year. For sites that wish to continue using MIT Kerberos, OpenAFS will continue to work with it. Of course, Heimdal and MIT Kerberos can be deployed side-by-side during the transition. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
