cURL / Mailing Lists / curl-library / Single Mail

curl-library

Windows SSPI patch?

From: Christopher R. Palmer <crpalmer_at_vivisimo.com>
Date: Thu, 03 Mar 2005 07:21:05 -0500

Windows has a security interface defined in the Windows SDK that implements
protocols such as NTLM. For my own needs, I modified curl to use the SSPI
interface rather than the curl+SSL implementation of NTLM. This has one
very large advantage which is that there is a notion of "current logged in
user". I use this default user credential when the empty username is
requested for authentication. A secondary advantage is that you can build
NTLM support on Windows without OpenSSL. The final advantage (or not,
depending on how you see it), is that the NTLM implementation is guaranteed
to be correct, because Microsoft is the only one that actually knows their
own proprietary protocol.

Let me explain the main advantage. If I am logged into a Windows domain
and have access to download URL then:

curl --ntlm -user : URL

will correctly pass my NTLM credentials without requiring me to enter a
password. This is very important for scripts that are trying to play
nicely in a windows soap environment.

Using Active Directory, you can configure certain machines to be the
network equivalent of superusers (when a user authenticates with them, the
server is then given a copy of their credentials that they can forward to
authenticate themselves with anything else).

Without Active Directory, IIS+windows will allow a web script to pass the
credentials of a logged in user to local services. This means that you can
query local soap services (sharepoint, sql server, etc) as the logged in
user without requiring that your script somehow be given their password.

As a caveat, this patch does require that a separate "Windows SDK" package
be installed to compile. If you are at all interested, I can send you my
current patch against 7.13.0 (and would be happy to spend a little time
cleaning up things that aren't very nice about it if you're interested in
integrating it).

Cheers,
Chris.

-- 
Christopher R. Palmer                     palmer_at_vivisimo.com
Chief Technology Officer                  www.vivisimo.com
Vivisimo, Inc.
Received on 2005-03-03