Kerberos version 4 Phase Out


Kerberos version 4 was initially deployed at MIT in the late 1980s as part of Project Athena. Version 5 of the protocol was initially deployed at MIT starting in 1997. The time has come to prepare for a full transition to Kerberos version 5.

In order to plan and implement the future of the IT architecture at MIT, it is necessary to phase out older technologies that no longer provide a clear cost benefit to the community or may present long term risk to our infrastructure. In particular version 4 Kerberos makes use of encryption technology that although still secure today, may not be so in the future. It is therefore important that we begin the serious migration of applications to version 5 of Kerberos. Version 5 provides stronger encryption algorithms as well as the ability to phase in new algorithms without changing the version of Kerberos itself.

New projects or applications that are planning to use Kerberos as an authentication protocol should be written to use version 5 of the Kerberos protocol.

Any project team planning to perform maintenance on an application that uses v4 should consider planning to migrate to v5 while planning and budgeting for the maintenance task.

During the next year Information Services and Technology along with the Information Technology Architecture Group will be gathering information and planning the transition away from v4.

In preparing for this project Information Services and Technology has created the following web site:

        <TBD>

The website highlights:

 * The differences between Kerberos version 4 and version 5

 * How a project manager, developer or user can determine if an application uses Kerberos v4 or v5

 * Information for application developers to migrate from v4 to v5

 * A list of identified applications and services that are using v5 today

 * A list of identified applications and services that are still using v4 today

 * Other frequently asked questions

 * Publication of a contact address both for questions and to provide information on v4 applications that we may not already be aware of.

Information Services and Technologies encourages the MIT community to assess their use of applications using Kerberos version 4 and to migrate to applications that use version 5 wherever possible. Any questions or feedback on the retirement effort or website may be emailed to:

        <TBD>

Please assist us with communicating this information within the MIT Community by forwarding this announcement to other interested colleagues and raising the topic at relevant meetings. During the coming year we will provide periodic updates to the web site however a detailed timeline should not be expected prior to January of 2006.

Applications which are affected by the retirement of Version 4

Applications which use version 5

News and updates regarding the retirement of Version 4