AFS version 3 was designed and implemented during the late 80s and early 90s when the state of the art in distributed computer authentication and data security was Kerberos 4 and single DES. The RXKAD security class was specified to use a single DES key and the kauth authentication protocol is a derivative of MIT's Kerberos 4 protocol.
For the better part of the last decade there has been concern regarding the cryptographic strength of the DES cipher when used as a building block within systems intended to prove authentication and/or data integrity and privacy. Kerberos 4 and RXKAD are not extensible and cannot negotiate non-DES key types. As a result efforts to migrate away from Kerberos 4 based authentication at higher risk organizations have been underway since the mid to late 90s. Ken Hornstein issued the first of his Kerberos 5 migration kits for AFS in May 1999.
In March 2003, the continued use of single DES and kauth as the basis for OpenAFS security became a real-world threat when a significant Kerberos 4 crossrealm vulnerability was published. The OpenAFS community was notified in security advisory OPENAFS-SA-2003-001 which can be found at http://www.openafs.org/security.
As a result of the mounting concerns regarding the strength of DES, NIST announced in May 2003 the withdrawal of FIPS 43-3 "Data Encryption Standard (DES)" as well as the associated FIPS 74 and FIPS 81. In other words, NIST announced that DES and its derivatives could no longer be used by the United States Government and should no longer by those that trust its lead.
In July 2003 MIT announced the end of life of the Kerberos 4 protocol which is distributed for backward compatibility as part of the MIT Kerberos 5 distribution. A copy of that announcement can be found at http://web.mit.edu/kerberos/krb4-end-of-life.html.
Since then the OpenAFS gatekeepers and the development community have continued to strengthen the support for Kerberos 5. By 1.2.11 protocol support for the use of Kerberos 5 tickets within the rxkad security class was complete for all of the Kerberos 5 DES enctypes. As part of the OpenAFS 1.4 series integrated support for aklog and asetkey as well as support for the large Kerberos 5 tickets generated by Microsoft's Active Directory were added.
With the release of 1.4, OpenAFS can be used with Kerberos 5 KDCs without any externally supported packages other than the Kerberos 5 library. Either MIT or Heimdal Kerberos 5 libraries can be used to build the support tools. For the KDC, you can use any Kerberos 5 KDC implementation (MIT, Heimdal, Microsoft Active Directory, ...)
The 2004, 2005, and 2006 workshops contained presentations from various organizations on how to migrate your cell to Kerberos 5 or install a new cell using Kerberos 5 in place of kaserver. The 2005 and 2006 workshops had one day tutorials on Kerberos 5 installation, configuration, and administration.
With this historical foundation in place, the OpenAFS Elders are officially announcing the deprecation of kaserver and endorsing the following roadmap for transitioning from single DES to stronger ciphers:
- Effective immediately, kaserver releases will log a warning at startup stating that kaserver support has been deprecated and that a migration to a Kerberos 5 solution should begin.
- Before the 1.6 release, the build system will be modified to optionally enable OpenAFS without kaserver.
- After the 1.6 release, the build system will be modified to build OpenAFS without kaserver unless it is specifically requested.
- The OpenAFS Elders encourage volunteers to assist in updating the OpenAFS documentation to include instructions on installing or migrating to Kerberos 5 KDCs (MIT, Heimdal, Active Directory, ...)
- The OpenAFS Elders endorse the development of new PAM AFS solutions maintained outside the OpenAFS source tree.
- The OpenAFS Elders endorse the development of the rxk5 and rxgk security classes in order to enable the use of Kerberos 5 ciphers other than single DES for both authentication and data security between AFS clients and servers.
- When OpenAFS is capable of supporting Kerberos 5 with non-DES ciphers the major version number will be changed to "2".
- The kaserver will be removed from the source tree no sooner than one year after the OpenAFS 2.0 release.
- The rxkad security class will become deprecated no sooner than one year after the OpenAFS 2.0 release. It will first be disabled by default on clients, then disabled by default on servers, and eventually it will be removed from the source tree. Further details will be announced as part of the OpenAFS 2.0 release.
If a significant security hole is identified in either kaserver or DES prior to its removal from the OpenAFS source tree, the OpenAFS Elders reserve the right to accelerate this time table.
Signed, the OpenAFS Elders.