On Wed, 1 Jul 2015, Jeffery Dowell wrote: > Hello Everyone, > > I have a question for the community regarding the Kerberos SNC shim. I am > currently trying to get authentication to SAP through Kerberos working on OSX > 10.10 (Yosemite). In Yosemite, Apple has removed support for DES, which means > that I can't get a Kerberos ticket from Kerberos systems still using DES. As > workaround, I am using a heimdal implementation to request a ticket and have > it appear in the Mac ticket viewer. However, when I open SAP I get the error: > GSS-API(min):Encryption type des-cbc-md4-deprecated not supported > I am using the Shim SNC adapter from Ben on GitHub to fix the 32/64 bit > java issue that was found a while back. It appears that SAP interfaces > with this adapter but that the adapter doesn't see my ticket. The ticket > does appear in the OSX ticket viewer and seems usable to the rest of the > system.
I am curious what you mean by "seems usable to the rest of the system" -- my understanding was that Yosemite had completely removed support for using single-DES enctypes. That is, you may be able to list it, but I would be surprised if you could actually do anything else with it. Apple is well-justified in the removal; single-DES is deprecated for use in Kerberos (RFC 6649) and provides only negligible security (keys can be brute-forced in under a day for around $50). My personal advice would be to take this as a strong signal to update the Kerberos infrastructure away from single-DES. > Should I insert my heimdal ticket in a different manner? > Is there a heimdal equivalent for the MIT shim? > Perhaps there is an all MIT Kerberos option for sidestepping the Apple > implementation? That said, the SNC shim should work just fine if linked against a different kerberos implementation, such as the heimdal you are using to acquire the single-DES ticket in the above scenario. Instead of using -framework GSS to link it, use the normal -L/path/to/heimdal/lib -lgssapi, and you will also need to change the include statement in sncgss.c from <GSS/gssapi.h> to the corresponding include for heimdal (<gssapi.h> or <gssapi/gssapi.h>), and add -I/path/to/heimdal/include on the compiler command line. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
