[Cvsnt] Kerberos: gserver and SSPI

[Francis Irving]

Thanks for the detailed reply Brian.  I do have a few more questions
still.

- SSPI first tries to use Kerberos, otherwise it uses NTLM.  Am I
right that this is Windows doing this?  If later on Microsoft add some
other security protocols, it would automatically use those, if the
SSPI API does?

- Is there a user-level term for "SSPI"?  That seems to be more than
API that you use to talk to Windows.  Just describing it as "Windows
authentication (:sspi:)" might be reasonable.

- How does SSPI relate to :ntserver:?  Which is more secure, is
ntserver being deprecated?

- Can SSPI connect to a Unix CVS server?  (With Samba?)

Thanks for all your help,

Francis (still getting his head round this to work out how to describe
them in the user interface ;)

On Thu, 11 Apr 2002 12:13:21 -0500, Brian Smith
<brian-l-smith at uiowa.edu> wrote:

>:gserver: works with:
>      Windows 2000/XP
>      Linux
>      Sun Solaris
>      [probably any other unix including Mac OS X]
>
>:sspi: works with:
>      Windows 98/NT4/2000/XP
>
>Both SSPI and Kerberos support encryption and message authentication.
>Both SSPI and Kerberos use domain (realm) credentials to authenticate
>users. Both SSPI and Kerberos support the server settings that require
>the user to use encryption and/or message digests.
>
>:gserver: always uses Kerberos (CVS can be patched to work with an
>GSSAPI implementation but currently the code assumes that the GSSAPI
>implementation is Kerberos). That is why it is cross-platform compatible
>but doesn't work with Windows 95/98/NT.
>
>:gserver: always uses the credentials of the currently logged on user on
>the client (i.e. your domain credentials). You can use the Windows
>2000/XP "runas" command to use CVS :gserver: with other credentials
>(untested).
>
>:gserver: has two implementations: one uses the MIT Kerberos
>distribution and the default implementation uses the Windows 2000/XP
>Kerberos SSP.
>
>SSPI will use Kerberos if both the client and the server support it
>(i.e. Client is Windows 2000/XP and Server is Windows 2000/XP).
>Otherwise it will use NTLM. It actually uses the Windows authentication
>negotiation mechanism (on Windows 2000/XP). That is why it is not
>cross-platform but it is compatible with Windos 95/98/NT.
>
>If you think that Kerberos is "more secure" than NTLM then you would
>consider :gserver: to be "more secure" than SSPI because SSPI will let
>people use NTLM. If you want to enforce Kerberos and or NTLM2 then you
>have to do extra configuration in the Windows local security policy.
>
>SSPI has a special CVSROOT form (:sspi:username[:password]@server:/host)
>that allows you to specify the username and password you want to
>authenticate with (when you don't want to log in with your default
>credentials) on the command line without using "runas". If you use this
>form, the password is saved in the client's CVS password cache (in the
>registry, I believe).
>
>In general, if all of your clients are on Windows 2000/XP then I would
>prefer :gserver: over :sspi: because:
>    (1) I don't like NTLM
>    (2) It is cross-platform (so you can add Unix clients later)
>    (3) I made the patch to implement the
>        Kerberos/WindowsSSP implementation ;)
>
>Let me know if you have more questions.
>
>- Brian
>
>
>
>Francis Irving wrote:
>> Can somebody explain to me the difference between gserver and SSPI?
>> Is there any documentation on them, or how to use them?
>>
>> I would like to know so I can put an appropriate description in the
>> checkout dialog box for TortoiseCVS, but I'm curious anyway as I've
>> never used Kerberos.
>>
>> Francis
>> _______________________________________________
>> Cvsnt mailing list
>> Cvsnt at cvsnt.org
>> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt
>>
>
>_______________________________________________
>Cvsnt mailing list
>Cvsnt at cvsnt.org
>http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt