[37141] in Kerberos
Re: Kerberos SNC Shim and OSX Yosemite
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Jul 2 08:52:04 2015
Date: Thu, 2 Jul 2015 08:51:43 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jeffery Dowell <jeffery.dowell@duke.edu>
In-Reply-To: <BLUPR05MB167345B334820706EE932C2E9A80@BLUPR05MB167.namprd05.prod.outlook.com>
Message-ID: <alpine.GSO.1.10.1507020845380.22210@multics.mit.edu>
MIME-Version: 1.0
Cc: "Kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 1 Jul 2015, Jeffery Dowell wrote:
> Hello Everyone,
>
> I have a question for the community regarding the Kerberos SNC shim. I am currently trying to get authentication to SAP through Kerberos working on OSX 10.10 (Yosemite). In Yosemite, Apple has removed support for DES, which means that I can't get a Kerberos ticket from Kerberos systems still using DES. As workaround, I am using a heimdal implementation to request a ticket and have it appear in the Mac ticket viewer. However, when I open SAP I get the error:
> GSS-API(min):Encryption type des-cbc-md4-deprecated not supported
> I am using the Shim SNC adapter from Ben on GitHub to fix the 32/64 bit
> java issue that was found a while back. It appears that SAP interfaces
> with this adapter but that the adapter doesn't see my ticket. The ticket
> does appear in the OSX ticket viewer and seems usable to the rest of the
> system.
I am curious what you mean by "seems usable to the rest of the system" --
my understanding was that Yosemite had completely removed support for
using single-DES enctypes. That is, you may be able to list it, but I
would be surprised if you could actually do anything else with it.
Apple is well-justified in the removal; single-DES is deprecated for use
in Kerberos (RFC 6649) and provides only negligible security (keys can be
brute-forced in under a day for around $50). My personal advice would be
to take this as a strong signal to update the Kerberos infrastructure away
from single-DES.
> Should I insert my heimdal ticket in a different manner?
> Is there a heimdal equivalent for the MIT shim?
> Perhaps there is an all MIT Kerberos option for sidestepping the Apple
> implementation?
That said, the SNC shim should work just fine if linked against a
different kerberos implementation, such as the heimdal you are using to
acquire the single-DES ticket in the above scenario. Instead of using
-framework GSS to link it, use the normal -L/path/to/heimdal/lib -lgssapi,
and you will also need to change the include statement in sncgss.c from
<GSS/gssapi.h> to the corresponding include for heimdal (<gssapi.h> or
<gssapi/gssapi.h>), and add -I/path/to/heimdal/include on the compiler
command line.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
