Skip navigation



Unix Project Deliverables

This is a summary of the remaining tasks in the Kerberos v5 migration from the server and Unix support perspective. Desktop issues and campus communication are mostly not represented here. The tasks here are roughly in the order in which they need to be completed, although some can be done out of sequence.

Estimates are for time spent working on this issue in particular, not for elapsed time.

  • Replace keeptoken in AFS with something built around krenew and a K5-based aklog and retire the old keeptoken program completely. This requires making sure that renewable ticket lifetime is set up properly in the KDCs.

    Estimate: 10 hours (Andrew, Russ for KDC part)
    Status: Ticket lifetime is fine, script is in progress.

  • Rework the ACLs that are currently applied on the K4 kadmind so that they're also applied on the kadmin backend on lsdb. This will require adding logic to apply the same check of preventing someone from changing the password of someone else who can also change passwords. Also need to update mkpermtable to pull from the correct location.

    Estimate: 4 hours (Russ)

  • Build the production kadmind proxy server that we're going to use for the afsdb servers and test it.

    Estimate: 2 hours (Russ)

  • Make the kadmin switch. This involves:

    • Writing an installation and test plan.
    • Getting the right principals and keys for production ready.
    • Building new versions of the plugins with the production config.
    • Updating the KDC packages on the production KDCs.
    • Installing the password strength checking plugin and dictionary.
    • Installing the password sync plugin and script.
    • Installing the kadmind proxy on the afsdb servers.
    • Installing the new kadmin remctl backend on lsdb.
    • Remove the iptables configuration that limits kadmind access.
    • Testing that everything works after the switchover.
    • Release the new passwd_change into pubsw.

    Estimate: 10 hours (Russ)

  • Enable backups on the Kerberos v5 KDCs with proper encryption in TSM and escroe of the backup key in some reasonable fashion. This will be required for disaster recovery as well.

    Estimate: 40 hours (Andrew)

  • Write the initial wallet implementation that will support obtaining keytabs and srvtabs and supports cached keytabs and srvtabs. See the breakout documentation for the steps involved in this.

    Estimate: 40 hours (Russ)

  • Switch over from the current leland_srvtab service to the wallet. We may need to provide some sort of redirection or error message from leland_srvtab's interface so that people will know what to do. reg-srvtab will also have to be completely rewritten. Most of the work will be importing the srvtab database into the new wallet database.

    Estimate: 15 hours (Russ)

  • Replace kpasswd in pubsw with the version from Kerberos v5 and remove any remaining traces of Aeakos from pubsw.

    Estimate: 4 hours (Andrew)

  • Release new Kerberos kits with the K5 kpasswd and with the new wallet client to obtain keytabs. Rewrite all of the Kerberos documentation accordingly and test the kits before the release. The new Kerberos documentation should use the new ITS page styles.

    Estimate: 20 hours (Andrew)

  • Check through each remaining service build that we have and make sure that they're all using K5 AFS and k5start instead of k4start or keeptoken.

    Estimate: 40 hours (Andrew, Quanah, Digant, Jim)

  • Update all existing Solaris, Red Hat, and Debian systems to use the new PAM stack and a current OpenSSH and retire all of the old cruft that we were previously running. This project can start now and will take quite a bit of time during the other things that we're doing on this project.

    Estimate: 60 hours (Andrew, Quanah, Digant, Jim)

  • Announce the demise of Zephyr and provide people with documentation about other possible alternatives. We should probably develop some sort of background e-mail polling program so that people don't write their own broken ones.

    Estimate: 10 hours (Andrew)

  • Announce the final demise of WebAuth v2 and work with whoever comes out of the woodwork. Write a new WebAuth v2 weblogin script that will redirect users back to the calling page to deal with those users who have bad bookmarks.

    Estimate: 15 hours (Andrew)

  • Replace klogin with a simple wrapper around rlogin so that we no longer attempt any K4 authentication to our servers. At this point, we can drop our local patches to Kerberos to obtain K4 tickets as well as K5 tickets. This can't be done until after all the systems have been updated to accept K5 authentication and use K5 with AFS.

    Estimate: 10 hours (Russ for at least the patches part)

  • Release new Kerberos kits without kftgt and with the simple klogin wrapper. (And probably a krsh wrapper as well.)

    Estimate: 10 hours (Andrew)

  • Write log analysis software to look at the kaserver logs and figure out who's still authenticating against K4 and why. Track those people down and get them to move to K5.

    Estimate: 30 hours (Andrew)

  • Shut down the K4 kaserver and the kadmind proxy. Start running ka-forwarder on the afsdb servers and fake-ka on the Kerberos servers so that klog will continue to work (unless there's a K5 klog by then).

    Estimate: 20 hours (Russ)

The following additional work isn't directly part of the project but should happen soon after the conclusion of the main project goals and is needed for long-term maintainability.

  • Rework the password strength checking plugin to allow linking with the system cracklib if someone so chooses.

    Estimate: 5 hours (Russ)

The following tasks have been resolved. They're listed here in the order of final resolution.

  • In test, addprinc -randkey was failing with an error message saying that the password is already in the dictionary. My guess is that it's passing NULL or something into the plugin and the plugin isn't coping. Needs a fix to our kadmind patch.

    Estimate: 4 hours (Russ)
    Actual: 1 hour
    Status: Done 2006-12-07, need to pass -clearpolicy into addprinc

  • Set up new iptables rules on kerberos1 to prevent kadmin access except from lsdb, windlord, and the afsdb servers. Deploy the change.

    Estimate: 2 hours (Russ)
    Actual: 1 hour 30 minutes
    Status: Done 2006-12-14

  • Deploy the new krb5.conf in pubsw that includes the master_kdc setting.

    Estimate: 1 hour (Russ)
    Actual: 1 hour
    Status: Done 2006-12-12

  • Install the new keytab from Ross and install new password sync and status propagation plugins and programs into the test environment. Test basic functionality of password propagation and status propagation and fix whatever issues arise.

    Estimate: 10 hours, on the hopeful side (Russ)
    Actual: 15 hours
    Status: Done 2006-12-13

    The end of this section of the project and the beginning of the later testing coordination and fixing is very arbitrary. This is roughly how much time I spent getting things into basic working shape before I redid the whole package.

  • Coordinate further testing of the password sync and status propagation and its various components, including the new kadmind interface. Fix any bugs that show up during testing, and probably improve the software some to make it more maintainable.

    Estimate: 20 hours (Russ)
    Actual: 25 hours
    Status: Done 2007-01-25

    This included adding and testing queuing of changes and writing a backend to manage the queue, writing a Debian package to encapsulate KDC dependencies, and setting up the test Kerberos server using Puppet.

  • Write an audit script that analyzes every account on the production KDCs and provides information about unexpected flag settings, maximum lifetime and renewable lifetime, last password change, configured policy, and general statistical information. This should run on kerberos3 (least loaded server) and ideally we should set this up to run monthly from cron and send a report.

    Estimate: 10 hours (Russ)
    Actual: 12 hours
    Done: 2007-02-09

    Not set up to run monthly yet, but that can be taken care of later after I can install the new Debian package on the production KDCs.

  • Create accounts for several people in the test K4, K5, and Windows realms so that they can also test password changing. (In the process, write some documentation for how administrative actions should be taken in the test environments, since I keep forgetting this.)

    Estimate: 2 hours (Russ)
    Actual: 30 minutes
    Done: 2007-02-15

    The kadmin backend will serve for this for right now at least. More documentation about the test realm in general would still be useful, but I'm going to consider that not part of this project.

  • Go through every account on the production KDCs and make sure that they all have a policy assigned so that we'll do password verification. We should probably discuss the parameters of that policy as well (password length and password history to prevent reuse).

    Estimate: 6 hours (Russ)
    Actual: 3 hours
    Done: 2007-02-26

  • Release a K5-based aklog into pubsw.

    Estimate: 4 hours (Quanah and Andrew)
    Done: 2007-03-01

  • Write a new kadmin backend for lsdb, which needs to support the following changes:

    • Manual account creation in K4 using gen_srvtab.
    • Manual account enabling, disabling, and deletion in K4 using kas.
    • Password strength checking using a test principal.
    • Password changes only in K5, not in K4.

    Estimate: 10 hours (Russ)
    Done: 2007-03-09

    Account enabling and disabling was done via the kadmin proxy instead, since that was easier than trying to use kas. Deletion was added to gen_srvtab, which was renamed to kasetkey. (Hm, I should add enable and disable to kasetkey as well, which would put less weight on the proxy. But probably not worth it at this point.)

  • Rewrite passwd_change to link against the remctl libraries and call the administrative password change kadmin remctl call on lsdb rather than doing a direct kadmind connection.

    Estimate: 10 hours (Russ)
    Actual: 6 hours
    Done: 2007-03-09

  • Write up a test plan for thoroughly exercising the functional of password and status propagation.

    Estimate: 2 hours (Russ)
    Actual: 4 hours
    Done: 2007-03-12

  • Release new AFS kits that include an aklog built against Kerberos v5 and update the AFS documentation accordingly. This can be done at any time now; nothing is stopping us from doing this right away. The required documentation updates are substantial.

    Estimate: 20 hours (Andrew)
    Done: 2007-03-21

  • Reimplement our local patches for login.krb5 so that they don't depend on the KTH Kerberos libkafs to create PAGs. This really should involve writing login.krb5 to use PAM properly, which will require researching what properly means.

    Estimate: 20 hours (Russ)
    Actual: 4 hours
    Done: 2007-02-01

    Rather than implementing PAM, I stole the code from the new AFS PAM module that implements a separate syscall layer for Linux. We'll need to revisit this at some point for Solaris, and it's still not the fully right solution, but it will do for now.

  • Make the v4 and Windows realms configuration options in the password propagation code, read from krb5.conf like other options.

    Estimate: 15 hours (Russ)
    Actual: 10 hours
    Done: 2007-01-05

  • Clean up and release to the general public the password strength checking plugin and the password propagation plugin and the associated patches. Requires writing real documentation, cleaning up the build system, and fixing the paths in some cases to be less stupid.

    Estimate: 20 hours (Russ)
    Actual: 15 hours
    Done: 2007-03-28

Last modified Wednesday, 31-Dec-1969 04:00:00 PM

Stanford University Home Page