You are here

Investigate alternatives to our existing MIT kerberos authentication infrastruct

Project ID: 
Current stage: 

Description: Investigate the possibility of moving our KDC (and KCA) infrastructure from MIT kerberos to heimdal, and the implications thereof. Investigate the alternative possibility of outsourcing it to EASE.


Produce a report on the pros and cons of sticking with MIT kerberos or migrating to heimdal, and on the pros and cons of outsourcing to EASE.

Make recommedations as to how we should proceed, and when we should next review the situation.

(Any actual migration would be done as a separate project.)


Customer: All

Case statement:

We adopted MIT kerberos by default when the DICE project started. heimdal is now definitely a viable alternative, and is being taken up by a number of large sites and distributions. We should take a proper look and make an informed decision rather than just carrying on blindly.

The alternative suggestion of outsourcing to EASE has also been made. On previous occasions we and IS have concluded that this wouldn't be a good idea, but as we haven't looked recently we should consider this option if we are reviewing our authentication infrastructure anyway.


Status: To be added to the 2013T1 bundle.

Timescales: It should be possible to investigate and report within a T.


Time: Estimate a couple of weeks to get sufficiently to grips with Heimdal and to work through the implications.


Proposal: Investigate. Report.

Resources: If we migrated to heimdal we would expect to run on existing KDC hardware (or planned replacements). If we outsourced to EASE there might be resource implications which can't be specified at the outset but which would be reported on as part of the project.

Plan: Other large sites have migrated, so it should be possible to tap into existing tools and experience.



Risks: Breaking authentication!


Proposed date Achieved date Name Description