Kerberos SNC Shim and OSX Yosemite

Benjamin Kaduk kaduk at MIT.EDU
Thu Jul 2 08:51:43 EDT 2015 

On Wed, 1 Jul 2015, Jeffery Dowell wrote:

> Hello Everyone,
>
> I have a question for the community regarding the Kerberos SNC shim. I am currently trying to get authentication to SAP through Kerberos working on OSX 10.10 (Yosemite). In Yosemite, Apple has removed support for DES, which means that I can't get a Kerberos ticket from Kerberos systems still using DES. As workaround, I am using a heimdal implementation to request a ticket and have it appear in the Mac ticket viewer. However, when I open SAP I get the error:
> GSS-API(min):Encryption type des-cbc-md4-deprecated not supported
> I am using the Shim SNC adapter from Ben on GitHub to fix the 32/64 bit
> java issue that was found a while back. It appears that SAP interfaces
> with this adapter but that the adapter doesn't see my ticket. The ticket
> does appear in the OSX ticket viewer and seems usable to the rest of the
> system.

I am curious what you mean by "seems usable to the rest of the system" --
my understanding was that Yosemite had completely removed support for
using single-DES enctypes.  That is, you may be able to list it, but I
would be surprised if you could actually do anything else with it.

Apple is well-justified in the removal; single-DES is deprecated for use
in Kerberos (RFC 6649) and provides only negligible security (keys can be
brute-forced in under a day for around $50).  My personal advice would be
to take this as a strong signal to update the Kerberos infrastructure away
from single-DES.

> Should I insert my heimdal ticket in a different manner?
> Is there a heimdal equivalent for the MIT shim?
> Perhaps there is an all MIT Kerberos option for sidestepping the Apple
> implementation?

That said, the SNC shim should work just fine if linked against a
different kerberos implementation, such as the heimdal you are using to
acquire the single-DES ticket in the above scenario.  Instead of using
-framework GSS to link it, use the normal -L/path/to/heimdal/lib -lgssapi,
and you will also need to change the include statement in sncgss.c from
<GSS/gssapi.h> to the corresponding include for heimdal (<gssapi.h> or
<gssapi/gssapi.h>), and add -I/path/to/heimdal/include on the compiler
command line.

-Ben

More information about the Kerberos mailing list