Migrating to Kerberos 5
Steve Devine
Manager, Storage Systems
Academic Computing and
Network Services
Michigan State University
About Kerberos and AFS
 Kerberos 5
– Network authentication protocol developed
at MIT
– Widely used
– MS Windows Active Directory
 AFS
– Andrew File System developed at CarnegieMellon
• Named for Andrew Carnegie
Andrew File System (AFS)
 In use at MSU since 1994
 Serves as our campus-wide file system
 afsdb0.cl.msu.edu serves as our campus
Kerberos authentication service
 Dozens of MSU services rely on for
authentication services
– Mail.msu.edu, ANGEL, etc.
– AIS’ Sentinel service is common front-end
 Encryption is loosely based on Kerberos 4.
Why Convert?
 Kerberos 5 is the industry standard.
 Far more secure than current system.
 Windows Active Directory and other
enterprise level services are designed to use
Kerberos 5.
 Flexibility and dependability are greatly
increased.
 At some point in time we will be forced into
conversion.
Testing and Notification
 MIT Kerberos 5 test server open-
afsdb2.cl.msu.edu was online June 2004.
 Notices sent to network administrators (NAG) and
ACNS Staff
 Migration info appears at: :
http://www.msu.edu/service/afs/migrate/
 kerberos5@list.msu.edu created for department
representatives.
 Test accounts where converted from current MSU
database and testusers began testing in July 2004.
Backward Compatibility
– New service will run a 'fakeka' server that
allows afs authentication to continue
 Kerberos server will run in Kerberos 4
mode to allow services to migrate
Single DES, Triple DES, and
Passwords
 DES = Data Encryption Standard, developed in 1970s
 Original standard is now “crackable” with modern
hardware
 Triple DES uses three 56 bit keys
 Existing MSU Kerberos uses single DES
 Industry is moving towards Triple DES
– For instance, MS Active Directory demands Triple DES
– If your Kerberos password is still single DES, you can’t use Active
Directory services
Password Implications
 We will implement a new password policy with
this migration
 Minimum 8 characters
 Must include at least 3 of the following character classes:
lower-case letters
upper-case letters
digits
punctuation, and all other characters (e.g., control characters)
 This will greatly enhance password effectiveness
Migration Timeline
 May 11, 2005:
 New server installed and 218,000 users loaded
into Kerberos 5 database.
 Media campaign to educate users and get them to
reset password begins.
 New password policy begins
– Your old password will continue to work for existing
systems.
– When you change it, you must conform to new rules.
Timeline
 September 27, 2005:
 Disable access for any user who has not
reset their password.
 Official support for Kerberos 5 begins.
 New users are created in Triple Des only
Timeline
 Date TBA , 2006?
 Kerberos 4 support ends.
 All services must support Kerberos 5
Communications Needs
 Must document new password policy ASAP
– Techbase, Help/Status, etc
 Prepare the help desks for questions
 Plan campaign for Fall
 As September 27 approaches, e-mail users
who have not changed their password