[Cvsnt] gserver impersonation

Brian Smith brian-l-smith at uiowa.edu
Tue Feb 26 21:49:50 GMT 2002


Tony Hoyle wrote:
> On Tue, 26 Feb 2002 11:16:44 +0000 (UTC), Brian Smith
> <brian-l-smith at uiowa.edu> wrote:
> I didn't think the security.dll supported anything but NTLM...  MS
> docs imply such, anyway.

I didn't explain clearly. My point was that the code will compile and
run on NT 4.0 with security.dll, but it will gracefully fail to use
Kerberos (since it isn't available) by returning CVSPROTO_NOTME during
authentication.

> The reason I used sspi and not ntlm is precisely because it supports
> multiple protocols.  sspi is quite capable of negotiatiing a common
> protocol for communication, so a kerberos enabled server should drop
> to ntlm with an nt4 client, and do full kerberos for a win2k client.

Well, maybe this is confusion on my part. I know there is an option to
have AcceptSecurityContext use a special "Negotiate" security SSP where
it does this automatically. But, I thought you had said earlier that
NT4.0 doesn't support negotiation so :sspi: was going to be NTLM-only.
Also, all of the functions in sspi.c are prefixed with "NTLM" so I
thought was further evidence that :sspi: was going to be NTLM-only.

I can make the CVSNT SSPI code do negotiation without any problem, by
doing a check like this:

    "BEGIN GSSAPI REQUEST"
	--> Use SSPI instead of third-party GSSAPI? --> "Kerberos"
         --> Use third-party GSSAPI (e.g. MIT) --> fail (CVSPROTO_NOTME)
    "BEGIN SSPI REQUEST"       --> "Negotiate"

If NT4.0 doesn't support negotiation then I will have to add another
check like this:
    "BEGIN SSPI REQUEST" & WinVer < Windows2000 --> "NTLM".

> It would perhaps be better to just change the sspi dll to
> automatically negotiate kerberos if it's available on both the client
> and server, and leave gserver to be MIT specific.

I came to a similar conclusion; that is why I switched over to work on
your SSPI code instead of modifying the gssapi_XXX code. However, I need
to support stock linux clients CVS 1.11.1p1 clients using :gserver:, so
I need the :sspi: code to be able to handle "BEGIN GSSAPI REQUEST" at
least on the server side. Also, I would like this to work with Windows
clients that already support :gserver: in CVSROOT but don't (yet)
support :sspi:.

-Brian

_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list