Thursday January 8 2009
Information Technology Central Services at the University of Michigan

Kerberos 4 to Kerberos 5 Transition: Turning Off K4

While most computing services at U-M that use Kerberos authentication are already using Kerberos 5, some are still using Kerberos 4. In addition, a small number of individuals are still using old K4 clients on their workstations.

Our goal is to stop most K4 use at U-M by November 2006, only allowing requests from IPs for which special arrangements have been made. By March 2007, all use of K4 at U-M will cease.

This web page describes the steps we have taken thus far and the steps that still remain before use of K4 can be stopped.

February 2006

  • ITCS installed software on the Kerberos machines that allows us to filter out K4 requests by IP address.

March 2006

  • Implemented Advanced Encryption Standard (AES) for Kerberos authentication. Anyone who changes their password from here on will get an AES key in the Kerberos KDC.

April 2006

Stopped allowing K4 requests from off-campus IP addresses. This affected a small number of people who were using OpenAFS with Kerberos 4.

September 2006

  • Announce October and November deadlines to campus IT staff.

October 2006

  • Mid October. Enabled Kerberos pre-authentication on the KDC.

  • Oct. 13. Deadline for requesting that K4 still be allowed from departmental IPs.

  • Mid-October. Departments asked to stop use of K4 by this deadline.

November 2006

  • Mid-November. ITCS began filtering out requests for K4 tickets by IP address. This was done in a phased manner. K4 requests were allowed only from those IPs for which arrangements were made in October.

March 2007

  • Weekend of March 24-25. Stop serving K4 requests from U-M networks.

This page last verified March 6, 2007

«Return to K4-to-K5 Transition Home

 
ITCS
Information Technology Central Services at the University of Michigan

ITCS Home  |  Contact ITCS  |  U-M IT Resources  |  Wolverine Access  |  University of Michigan