There are basically three options with several variants

• KaServer -- the standard option to comes with IBMAFS, implements KerberosIV^? with some custom features.
• KerberosIV^? -- the original MIT implementation, and Krb4KTH^?, an export version of KerberosIVMIT^? (aka "bones"), but with encryption support put back in by the fine folks at KTH.
• KerberosV -- version five of this protocol has numerous improvements over version four and is available from many sources: MIT, DCE, Microsoft (aka ActiveDirectory) and HeimdalKTH.

The consensus these days is to use KerberosV, even though lacking native support for V5, AFS still needs various conversion and migration tools. See KerberosAFSInstall for (what will be) a step-by-step procedure to install a new OpenAFS cell where authentication is handled by a KerberosV realm.

For KerberosV, there are two main open-source solutions for Unix: KerberosVMIT and HeimdalKTH. A quick comparison of the two:

KerberosVMIT Advantages:

• Excellent documentation
• The "reference" implementation everyone else uses as a baseline
• Great library support. Third-party software compiles easily with the libraries MIT provides.

KerberosVMIT Disadvantages:

• Poor integration with AFS. Requires the AFS-Kerberos5 migration kit to work with AFS.
• Export issues

HeimdalKTH Advantages:

• Excellent integration with AFS.

HeimdalKTH Disadvantages:

• Client API is just different enough from MIT to keep most applications from compiling out of the box.

Note that you can mix-and-match. Currently I'm using a HeimdalKTH KDC with KerberosVMIT clients. If you take this route the one big thing to watch out for is administrative tools - kadmin, kpasswd, and such.

Some other topics that should be explained.

• SSH -- There are two issues. First is mutually authenticating you and the SSH server to each other using Kerberos. See KerberosV for a link to patches to kerberize OpenSSH^?. Second is passing local AFS authentication to the remote shell (in this case an AFS Client) in the form of AFS service tickets (tokens).
  • these instructions from CharlesClancy^? for building openssh might be useful http://lists.openafs.org/pipermail/openafs-info/2002-January/002846.html
  • another perspective from OwenLeBlanc^? http://lists.openafs.org/pipermail/openafs-info/2002-January/002856.html
  • SSHKeyAuthentication
• How to choose between KaServer, KerberosVMIT, HeimdalKTH and ActiveDirectory.
• StringToKey issues.
• Authenticating applications that need AFS access and can't depend upon human interaction to enter a password.
• ProcessAuthenticationGroups (aka PAGs).
• KeyVersonNumber^? (aka kvno) synchronization.
• AccessControlLists (aka ACLs).
• IPAccessControl -- how to put IP addrs on ACLs
• How to configure various authentication servers to issue tickets (tokens) with lifetimes longer than 25 hours.
• IntegrationWithNIS. See the GeneralFAQ, but basically you use NIS vis NSS for names of users and Kerberos via PAM for authentication. There is still the question of integrating group management.
• OtherGroupServers^? are not well integrated as far as I know. The big ones are ActiveDirectory and NIS^? and maybe some LDAP systems. While one could imagine wrapping a PtServer^? interface around such a thing, there are probably some features that would make seamless integration difficult. Has anyone seriously looked into this?
  • In a 10-Oct-2002 message from DerrickBrashear: ...something to allow LDAP queries of the PTS database... /afs/andrew.cmu.edu/usr/shadow/back-pts.tar.gz / The README inside explains how it works.

-- TedAnderson - 22-24, 29 Jan 2002
-- JasonGarman^? - 30 Jan 2002
-- TedAnderson - 06-07 Feb, 11 Oct 2002
-- TedAnderson - 27 Feb 2003

See AuthCommands.