Re: Compiling on Solaris8

2015-07-02 Thread Benjamin Kaduk 
There are automated nightly builds on solaris 9, so it has a good chance
of working.  Try it and report back!

-Ben Kaduk

On Wed, 1 Jul 2015, Arewe There wrote:

> Hello,
>
> I'm trying to compile the latest release 1.13 on a Solaris 8 x86 box using
> gcc 4.2. Has anyone tried it? Is it even possible? Same question for a
> Solaris 8 sparc box.
>
> Thanks.
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos SNC Shim and OSX Yosemite

2015-07-02 Thread Benjamin Kaduk 
On Wed, 1 Jul 2015, Jeffery Dowell wrote:

> Hello Everyone,
>
> I have a question for the community regarding the Kerberos SNC shim. I am 
> currently trying to get authentication to SAP through Kerberos working on OSX 
> 10.10 (Yosemite). In Yosemite, Apple has removed support for DES, which means 
> that I can't get a Kerberos ticket from Kerberos systems still using DES. As 
> workaround, I am using a heimdal implementation to request a ticket and have 
> it appear in the Mac ticket viewer. However, when I open SAP I get the error:
> GSS-API(min):Encryption type des-cbc-md4-deprecated not supported
> I am using the Shim SNC adapter from Ben on GitHub to fix the 32/64 bit
> java issue that was found a while back. It appears that SAP interfaces
> with this adapter but that the adapter doesn't see my ticket. The ticket
> does appear in the OSX ticket viewer and seems usable to the rest of the
> system.

I am curious what you mean by "seems usable to the rest of the system" --
my understanding was that Yosemite had completely removed support for
using single-DES enctypes.  That is, you may be able to list it, but I
would be surprised if you could actually do anything else with it.

Apple is well-justified in the removal; single-DES is deprecated for use
in Kerberos (RFC 6649) and provides only negligible security (keys can be
brute-forced in under a day for around $50).  My personal advice would be
to take this as a strong signal to update the Kerberos infrastructure away
from single-DES.

> Should I insert my heimdal ticket in a different manner?
> Is there a heimdal equivalent for the MIT shim?
> Perhaps there is an all MIT Kerberos option for sidestepping the Apple
> implementation?

That said, the SNC shim should work just fine if linked against a
different kerberos implementation, such as the heimdal you are using to
acquire the single-DES ticket in the above scenario.  Instead of using
-framework GSS to link it, use the normal -L/path/to/heimdal/lib -lgssapi,
and you will also need to change the include statement in sncgss.c from
 to the corresponding include for heimdal ( or
), and add -I/path/to/heimdal/include on the compiler
command line.

-Ben

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos