This page will capture some of the milestones, progress, and open issues related to the retirement of Kerberos version 4 at MIT.


April 23, 2007

  • OIS has updated webmoira and WINCE applications to using v5 when intreacting with the Moira server.
  • OIS (NIST) is working on transitioning the MIT CA to use v5 when interacting with the Moira server.
  • A set of email reminders went out to the 1000 constituents still relying on K4 for inbound authentication.
  • SAIS is preparing to test a new DLL to interact with the MIT ID database. The DLL is called by a Powerbuilder application.

April 7, 2007

  • OIS updated the production Moira server so that it now supports v5 in addition to v4. Updated clients supporting v5 are also available for the Athena environment. As a result of this change serveral other systems may now be updated these include:
  • MIT CA, which has some Moira dependancies (NIST)
  • webmoira (OIS)
  • WINCE web applications (ISDA/NIST)
  • Moira clients for the WIN environment (ISDA/NIST)
  • OIS has started to transition the remaining kPOP users to SSL.

February 6, 2007

  • Facilities uses Host Explorer (using v4) to access PPL and run the "keys" application. The application is being ported to an Oracle environment.
  • Query sent to SAIS regarding their use, or their customers' use, of Host Explorer to run remote applications.
  • ESandi has been retired from general community usage however two staff members still require access to the system.
  • Moira and MIT CA migrations to v5 are planned. Much of the work was deferred in order to focus on the W92 computer room renovations and the transition of servers and services to W91.
  • The MIT IMAP servers will not be transitioned to support v5 until all kPOP users are transitioned to SSL. That decision is based on previous experience gained when v5 was briefly enabled on our IMAP servers once before. Approximately 200 kPOP users have made the to date. The current very rough estimate for the transition is July of 2007.

January 31, 2007

  • Sun Prop and SumMIT both use the Oracle Gateway to authenticate, and are nor Kerberos dependent. We are still waiting for a status update regarding ESandi.
  • MITSIS uses MITID32v20.dll which is based on v4. The relevant portion of the application performs reconcilliation between MIT ID and the MITSIS DB. The task is performed by the registrar's office. Discussion and planning for revision has started to occur between Leo Larsen, Eamon Kearns, Semyon Eskin and Paul Hill.

August 28, 2006


  • lert and AFS are moved to the list of applications and servers that support v5

The lert client distributed in all Athena releases since Athena 9.2 (released July 2003) has used only krb5 for authentication to the server. The server still supports krb4 for the benefit of old clients, but this could easily be removed in the future.

The version of AFS deployed in all IS&T operated AFS cells uses krb5 for authentication. Are there cells at MIT operated by other departments which do not currently support v5?

The aklog program currently deployed on Athena uses the krb524d service to obtain tickets, but it is not receiving a krb4 ticket when it does so; it is receiving only the encrypted part of a krb5 ticket. The same is true for at least some of the WIN machines, but Paul is not sure if this is true for all WIN machines at this time.

There are also workstations outside of Athena and WIN that have OpenAFS clients installed. It is currently unclear if all of those machines are using v5 for AFS authentication.

We could easily deploy a new aklog that does this directly without accessing krb524d; I believe this is all already in the athena CVS repository but not yet deployed.

August 24, 2006

  • Work has been proceeding on Moira.
  • The diffs from the moira-krb5 branch of the moira repository were pulled up to the moira mainline by OIS, in preparation for deploying them on Moira test server and in production sometime in the next month and a half. Additional related work has been done to chfn, mailmaint, and mrtest.
  • New Moira clients for sun4x_510 and i386_rhel4 have been placed into the moiradev locker.  These clients will do krb5 auth to the server running on the test server but will fall back to krb4 when talking to the production server, so it should be safe to "add -f moiradev" and use them for everything.  If you do so, please report any problems you encounter to moiradev.
  • Developers from ISDA are now building Windows clients with the v5 changes and these will be tested against the Moira test server in the future.

August 18, 2006

  • annoucement of the Kerberos v4 retirement initiative to IS&T leadership team
  • added SSH, Jabber, and sending outgoing email to the list of applications and services that support v5
  • ISDA acknowledges ownership of Zephyr with respect to this initiative and strategic directions
  • OSP confirms that Coeus is using v5
  • No labels