[38] in athena10
Building our own Kerberos
daemon@ATHENA.MIT.EDU (Tim Abbott)
Sat Jan 12 00:44:09 2008
Date: Sat, 12 Jan 2008 00:43:57 -0500 (EST)
From: Tim Abbott <tabbott@MIT.EDU>
To: athena10@mit.edu
cc: debathena@mit.edu
Message-ID: <Pine.LNX.4.64L.0801120022320.26368@mega-man.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Hello,
Currently, debathena rebuilds Kerberos in order to change the default
behavior of kinit to get Kerberos 4 tickets, i.e. "kinit -54" rather than
"kinit -5". This is a somewhat annoying maintanance burden because
Kerberos has security updates with some frequency.
We recently (mid-November) changed the "renew" alias in the Debathena
system dotfiles to call "kinit -54" rather than simply "kinit" (this was
motivated in part by the fact that Debathena doesn't require users to
install the modified Kerberos binaries).
We were planning to eventually stop building a modified Kerberos, and
expect users who want to get Kerberos 4 tickets as well as Kerberos 5
tickets to type "renew" or "kinit -54" rather than "kinit". I don't have
a good feel for whether most Athena users are taught to use "kinit" or
"renew" when they need new credentials (or what the timeline is for
Kerberos 4 no longer being necessary at MIT), but it seemed that this
issue is probably worth discussing what Athena 10 will do before deciding
to remove this feature from Debathena.
Eliminating the need to build our own bash and tcsh seems more difficult.
-Tim Abbott
