cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: PATCH: Curl Sanity patch for spnego authentication

From: Kevin Swift <Kevin.Swift_at_kaspersky.com>
Date: Wed, 25 Sep 2013 11:07:44 +0000

Hi Markus,

> The spnego implementation with fbopenssl was only added to wrap/unwrap a gssapi token and make it a spnego token to work with MS servers.
> This wrapping/unwrapping is now contained in all the standard Kerberos libraries (Heimdal/MIT). It was not intended for NTLM.

Yes, I tried with Heimdal, and without fbopenssl ,and Negotiate auth did negotiate down to NTLM correctly when kerberos is not configured, and with some hacking curl did the full conversation. The server won't except my credentials but that could be any number of username/domain/password issues, the NTLM data looked ok. I'm not sure I need this now but if I do I'll put together a possible patch.

I've seen a few requests, on the web, from people wanting to do NTLM via negotiate auth but I guess it's not common?

Thanks,

Kevin

-----Original Message-----
From: Kevin Swift
Sent: Tuesday, September 24, 2013 10:20 AM Newsgroups:
gmane.comp.web.curl.library
To: curl-library_at_cool.haxx.se ; huaraz_at_moeller.plus.com
Subject: Re: PATCH: Curl Sanity patch for spnego authentication

Date: Mon, 23 Sep 2013 19:44:18 +0100
From: "Markus Moeller" <huaraz_at_moeller.plus.com>
To: "libcurl development" <curl-library_at_cool.haxx.se>
Subject: Re: PATCH: Curl Sanity patch for spnego authentication
Message-ID: <00A875024B50435F9CD538537169318A_at_Ultrabook1>
Content-Type: text/plain; charset="iso-8859-1"

> I can only repeat the spnego code is for more than 4 years not needed
> as the Kerberos libraries can now handle spnego token. Why are you
> still using it ?
> Can you show me a case where it is needed ?
>
>Markus

Hi,

I have been trying to get SPNEGO working with fallback to NTLM (rather than using kerberos). Should this work out of the box? To do this I built curl with fbopenssl and have had to make a few changes to handle the 3-way protocol for NTLM and change the default gss mech to NTLM. Should I have started from a different base? For example using the Heimdal library to handle everything and ignoring the fbopenssl SPNEGO code? BTW it's not yet working so this is an experiment-in-progress. I'm also planning on trying the Heimdal library only today.

Apologies if the format of this message is incorrect I've just subscribed and had to reply via the digest.

Thanks,

Kevin

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-09-25