The consensus these days is to use [[KerberosV]], even though lacking native support for V5, AFS still needs various conversion and migration tools.
+For [[KerberosV]], there are two main open-source solutions for Unix: [[KerberosVMIT]] and [[HeimdalKTH]]. A quick comparison of the two:
+
+[[KerberosVMIT]] Advantages:
+
+- Excellent documentation
+- The "reference" implementation everyone else uses as a baseline
+- Great library support. Third-party software compiles easily with the libraries MIT provides.
+
+[[KerberosVMIT]] Disadvantages:
+
+- Poor integration with AFS. Requires the AFS-Kerberos5 migration kit to work with AFS.
+- Export issues
+
+[[HeimdalKTH]] Advantages:
+
+- Excellent integration with AFS.
+
+[[HeimdalKTH]] Disadvantages:
+
+- Client API is just different enough from MIT to keep most applications from compiling out of the box.
+
+Note that you can mix-and-match. Currently I'm using a [[HeimdalKTH]] KDC with [[KerberosVMIT]] clients. If you take this route the one big thing to watch out for is administrative tools - kadmin, kpasswd, and such.
+
-- [[TedAnderson]] - 22 Jan 2002
Some other topics that should be explained.
-- SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
+- SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. See [[KerberosV]] for a link to patches to kerberize [[OpenSSH]]. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
- these instructions from [[CharlesClancy]] for building openssh might be useful <http://lists.openafs.org/pipermail/openafs-info/2002-January/002846.html>
- another perspective from [[OwenLeBlanc]] <http://lists.openafs.org/pipermail/openafs-info/2002-January/002856.html>
- How to choose between [[KaServer]], [[KerberosVMIT]], [[HeimdalKTH]] and [[ActiveDirectory]].
- IP ACLs
- How to configure various authentication servers to issue tickets (tokens) with lifetimes longer than 25 hours.
--- [[TedAnderson]] - 23-24, 29 Jan 2002
+-- [[TedAnderson]] - 23-24, 29 Jan 2002 -- [[JasonGarman]] - 30 Jan 2002
----
-I am not the right person to write this page but here is a start:
+Kerberos is a network authentication system which is available for Unix, Windows, Macintosh, and I'm sure lots of other platforms.
-The MIT web site for Kerberos is <http://web.mit.edu/kerberos/www>. The FAQ is at <http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html>.
+How does this relate to [[OpenAFS]]? [[OpenAFS]] uses Kerberos to perform strong authentication for clients connecting to the AFS filespace. If you're new to Kerberos, you should take a look at the Kerberos FAQ located at <http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html>. For the impatient, a quick list of useful Kerberos-related terms will be available at [[KerberosTerms]].
-[[KenHornstein]]'s AFS-Kerberos5 migration toolkit is here: <ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/>.
+Note that there are two versions of Kerberos in wide usage. The latest is [[KerberosV]], but AFS, for historical reasons, uses a modified version of Kerberos 4 (see [[KaServer]]). However, AFS can be integrated into a [[KerberosV]] realm, and in fact is highly suggested for any new installations of AFS. See [[SettingUpAuthentication]].
-[[DerrickBrashear]]'s document for converting from the [[KaServer]] to [[HeimdalKTH]] is [here](http://lost-contact.mit.edu/afs/net/project/afs32/andrew.cmu.edu/usr/shadow/ka2heim.txt): <file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt>
+Installing [[KerberosV]] along with [[OpenAFS]] will provide the basis for many other very cool features, such as a single repository for all authentication information for an administrative domain, integration with the Windows2000 login mechanism, and even single-sign-on capability. Note that the further down you get in that list, the harder things become. :)
--- [[TedAnderson]] - 22 Jan 2002 -- [[DerrickBrashear]] - 23 Jan 2002
+The installation documentation on the [[OpenAFS]] web site unfortunately does not include any information on integrating AFS into a [[KerberosV]] realm. (Work on install document & gotchas page later)
+
+If you already have a working AFS cell using [[KaServer]], check out [[DerrickBrashear]]'s document for converting from the [[KaServer]] to [[HeimdalKTH]] [here](http://lost-contact.mit.edu/afs/net/project/afs32/andrew.cmu.edu/usr/shadow/ka2heim.txt): <file:/afs/andrew.cmu.edu/usr/shadow/ka2heim.txt>
+
+For now a few links... explanations to follow later:
+
+- Setting up [[OpenSSH]] to use [[KerberosV]] authentication: you can either use PAM to authenticate people (boring) or you can add the patches at <http://www.sxw.org.uk/computing/patches/openssh.html> to use existing [[KerberosV]] tickets for single-sign-on and automatic ticket forwarding (interesting). Note that by default this patch won't grab tickets when logging in via password - post small patch to enable this later.
+- If you're having trouble with the AFS-Kerberos5 migration kit, see <http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-krb5.html> for tips. In particular check out the Makefile patches.
+- An older AFS link page: <http://www-2.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs.html>
Some other issues to explain:
- encryption types -- this is a per key property and V5 supports several (while V4 only supported one, namely what V5 calls des-cbc-crc). However, this is not the V5 default (which I think is des3) so you need to ensure that the AFS principal uses des-cbc-crc.
- [[StringToKey]] differences
--- [[TedAnderson]] - 23 Jan 2002
+-- [[TedAnderson]] - 22 Jan 2002 -- [[DerrickBrashear]] - 23 Jan 2002 -- [[TedAnderson]] - 23 Jan 2002 -- [[JasonGarman]] - 30 Jan 2002
----
git://git.openafs.org / openafs-wiki.git / commitdiff