{toc}

Introduction

The intended audience of this document is members of the MIT Community wishing to know more about the technical implementation of Athena. Much of this document is taken verbatim from /mit/ghudson/info/athena, written by Greg Hudson, former Release Engineer for Athena.

...

There are two versions of the Kerberos protocol in use on Athena, 4 and 5. The Kerberos 5 protocol supports more features and different types of cryptographic algorithms, but is also a great deal more complicated. Kerberos 4 is being actively phased out, and is expected to be completely retired by early 2010.

See http://web.mit.edu/kerberos/www^{Image Removed} for more complete and precise information about Kerberos. Athena services which use Kerberos include AFS, discuss, zephyr, olc, moira, and remote login and FTP (when both parties support it).

...

AFS uses Kerberos 5 to authenticate. Since it is not reasonable for AFS kernel code to read Kerberos credential caches directly, AFS-specific credentials are stored into the kernel as "tokens". The kernel looks up tokens using a "process authentication group" or PAG, which is stored in the user's group list. If there is no PAG in the user's group list, the kernel falls back to looking up tokens by uid, which would mean that two separate logins would use the same tokens and that a user who does an "su" no longer uses the same tokens. Athena workstations do their best to ensure that each login gets a fresh PAG.

See http://www.openafs.org/^{Image Removed} for more information about AFS.

...