Notice: Transition of AFS Authentication to Kerberos 5

Background

Kerberos authenication is the standard network protocol for providing secure communications over insecure networks. Wikipedia Kerberos article

The current implementation of Kerberos is version 5 (Kerberos 5). There are two standand implementations : MIT and Heimdal.

AFS, a distributed file system which is widely deployed at NJIT, has always used Kerberos for authentication. That implementation, however, is based on Kerberos 4, which has been deprecated for several years. It is necessary to transition AFS authentication to Kerberos 5. The MIT Kerberos 5 implementation has been chosen.

Scope

The change in authentication discussed here applies only to AFS - authentication to the Microsoft NJITDM or ACADEMIC domain is not affected. Windows users should read this.

Implementation

The change from Kerberos 4 to Kerberos 5 for AFS authentication will be done in phases.

• Phase I. All new AFS passwords and all AFS password changes will be stored in Kerberos 5, rather than in Kerberos 4, which wad hitherto the case. The Kerberos 5 and Kerberos 4 passwords will be synchronized, and the Kerberos 4 server, which services Kerberos 4 requests, will continue to run. This means that all commands that users now use to access AFS services will continue to work as they do now.
  Phase I is scheduled to start on Wednesday 7 January 2009, and end in January 2010.
• Phase II. This phase will be used to develop and test procedures and documentation that will be needed for Phase III. Tasks to be completed during Phase II include the following :
  • Ensure that all AFS client machines for all platforms - Linux, Unix, and Windows - can authenticate the user to Kerberos 5 at login, and get that user's AFS token
  • Test and put in place procedures to refresh AFS tokens for long-running jobs when the user has authenticated to Kerberos 5
  • Educate users and the Computing Helpdesk on all aspects of the mechanics and implications of the change in AFS authentication to Kerberos 5 (only) scheduled for early January 2010
  Phase II will begin in April 2009, and end in January 2010.
• Phase III. In this phase support for Kerberos 4 authentication will be removed: the only method of AFS authentication will be via Kerberos 5.

  Phase III will begin in early January 2010, and will last only a week or so. The intent of this phase is to confirm that AFS Kerberos 4 authentication can be completely eliminated. Upon confirmation, Kerberos 4 authentication will be shut down permanently.