Questions on kerb 4 vice kerb 5

[Magnus Ahltorp]

> As I understand it there are 3 possibly relevant wire protocols:
> 	rx	the native AFS authentication, closely related to k4
> 	k4	supported by the AFS kaserver with a non-standard string-to-key
> 	k5	¿usable? by AFS with non-standard authentication tools
> rx and k4 both suffer the same well-known replay vulnerability. Could
> I close both of them off with a firewall and still get everything I
> need using only k5?

There are three protocols for getting tickets, MIT Kerberos 4, MIT
Kerberos 5 and Transarc/OpenAFS Rx Kerberos 4.

With the MIT Kerberos 4 and Rx Kerberos 4 protocol, you can get
kerberos 4 tickets. With the MIT Kerberos 5, you can get kerberos 5
tickets. With the kerberos 5 tickets, you can get kerberos 4 tickets.

Since AFS only handles kerberos 4, you have to get kerberos 4 tickets
in some way, but you don't need to get your ticket-granting ticket
with a kerberos 4 protocol. There is always v4 on the wire when
talking to the AFS server with rxkad.

When the rxgss security class is implemented, you will be able to
authenticate with kerberos 5 to the AFS servers directly.

Note that if you have enabled v4 kdc capabilities in Heimdal, it will
serve v4 requests on all ports. All ports are equal in Heimdal, so
it's not easy to firewall it.

> If I understand what Magnus said then the answer is yes. The
> authentication program to use is afslog (from Heimdal), and it will
> work with Transarc/OpenAFS as well as Arla. That sounds like exactly
> what I wanted to hear.

Yes, if you use afslog or the Heimdal kauth/kinit program, you don't
need to get v4 TGTs.

/Magnus