Questions on kerb 4 vice kerb 5

[Henry B. Hotz]

At 11:31 AM +0100 11/16/01, Magnus Ahltorp wrote:
>Since AFS only handles kerberos 4, you have to get kerberos 4 tickets
>in some way, but you don't need to get your ticket-granting ticket
>with a kerberos 4 protocol. There is always v4 on the wire when
>talking to the AFS server with rxkad.

I was hoping to close port 750 and whatever rx traveled on at a 
firewall and only allow k5 and the data traffic through.  Thus 
avoiding the k4 vulnerabilities.  *sigh*

Maybe authentication is split this way already.  Can I set it up so: 
tgt's only come from the k5 server.  You then talk rx to the AFS 
servers to get the token.  Is there no way to get a token (e.g. 
replay attack?) without first getting the k5 tgt?  Does this protect 
me from the k4 vulnerabilities?

>When the rxgss security class is implemented, you will be able to
>authenticate with kerberos 5 to the AFS servers directly.

And how soon will this be possible?  This year?

>Note that if you have enabled v4 kdc capabilities in Heimdal, it will
>serve v4 requests on all ports. All ports are equal in Heimdal, so
>it's not easy to firewall it.
>
>>  If I understand what Magnus said then the answer is yes. The
>>  authentication program to use is afslog (from Heimdal), and it will
>>  work with Transarc/OpenAFS as well as Arla. That sounds like exactly
>>  what I wanted to hear.
>
>Yes, if you use afslog or the Heimdal kauth/kinit program, you don't
>need to get v4 TGTs.

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu