Stay away from the bleeding edge

The newest Mac operating system is named for the Yosemite Valley, which boasts beautiful, precipitous cliffs. Be just as cautious adopting the latest OS on your Fermilab computer as you would in approaching a cliff’s edge. Photo: Yosemite National Park

I have written previously about security vulnerabilities associated with running unsupported operating systems, focusing on keeping patches and fixes up to date. However, there are also dangers in running new versions of operating systems too soon.

When new versions of popular operating systems become available, Fermilab’s Desktop Engineering Group evaluates these new releases and tests that all standard applications can still run properly. These tests are rigorous and thorough to ensure that nothing will break. Complex software interdependencies can make this process time consuming.

Only after these tests are complete is the new system declared as supported by the laboratory. Afterward, lab systems are automatically upgraded, and users are then able to take advantage of features of the new OS. But upgrading to new releases too soon, before this testing process is complete, may have surprising consequences.

A current example is the difficulty of using Fermilab’s Kerberos systems with the newest Mac OS version, Mac OS 10.10 (Yosemite). Aspects of this OS version are incompatible with the version of Kerberos used at Fermilab. So those who upgrade prematurely will find Kerberos usage — from certificates to logging in — broken.

These developments have prompted Fermilab’s Authentication Group to advance existing plans for modernizing our Kerberos infrastructure and to accelerate this work within the next six weeks (instead of the next six months, as planned originally). This work involves building new software for the Fermilab Kerberos Key Distribution Centers (KDCs), which use more modern encryption standards to work with Yosemite. This will involve replacing our outdated cryptocards with more modern hardware tokens for Kerberos logins. Of course, as the KDC code is modified, we must test to ensure all existing Kerberos applications continue to work properly. As this work is completed, Kerberos will no longer be an obstacle to allow an upgrade to Yosemite.

So please continue to keep your operating systems updated, but don’t get too far ahead of the curve. As a reminder, unsupported operating systems, both too old or too new, may be blocked from laboratory networks. Please contact the Service Desk if you need to upgrade (or roll back).

Irwin Gaines