How can one enable DES-encrypted keys on an Apple KDC?

Question

We are running a KDC on OS X 10.10 Yosemite, to which we have added a service principal for remotely accessing a (legacy) host:

$ kadmin add -r host/a.b.c.d@REALM

Since the host only supports des-cbc-crc key encryption, we then tried (unsuccessfully) to add that:

$ kadmin add_enctype -r host/a.b.c.d@REALM des-cbc-crc
kadmin: bad enctype "des-cbc-crc"

Thinking that DES is (quite sensibly) disabled by default, we tried placing allow_weak_crypto=true in the [libdefaults] section of /var/db/krb5kdc/kdc.conf and restarting the kdc process, but to no avail.

Many hours have been spent thrashing around, but have born no fruit. Surely Apple haven't compiled Kerberos without any support for DES? How do we solve this?

Is [--disable-des](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/kdc.8.html) set? — HopelessN00b, Dec 15 '14 at 19:10

score 4 · Accepted Answer · answered Dec 15 '14 at 19:17

Surely Apple haven't compiled Kerberos without any support for DES?

Well, actually, it looks like they did in 10.10/Yosemite. And after the mess they made of Kerberos in 10.07/Lion... you have my sincere condolences.

The functionality that krb5-weak.conf tries to achieve won't be needed on OS X from Yosemite (10.10) on forwards, since Yosemite's Kerberos removes the support for 1-DES encryption types and thus allow_weak_crypto does not have any effect whatsoever. (We know this because of testing the beta versions and talking to Apple; this is one reason why we are in the process of rxkad'ing our AFS.)

And here's another source, which contains a handy link on upgrading older realms to modern crypto algorithms.

Good find. Now for a workaround...! – eggyal Dec 15 '14 at 19:21 — eggyal, Dec 15 '14 at 19:21

How can one enable DES-encrypted keys on an Apple KDC?

1 Answers1