cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Re: [PATCH] docs: Update SPNEGO and GSS-API related doc sections

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Sun, 3 Aug 2014 23:02:21 +0200

> On Sun, Aug 03, 2014 at 08:53:55PM +0200, Michael Osipov wrote:
> > Am 2014-08-03 um 11:27 schrieb Dan Fandrich:
> > >On Sun, Aug 03, 2014 at 10:50:21AM +0200, Michael Osipov wrote:
> > >>Am 2014-08-03 um 10:27 schrieb Dan Fandrich:
> > >>>On Sat, Aug 02, 2014 at 02:18:29PM +0000, Michael Osipov wrote:
> > >>>>@@ -180,7 +180,8 @@ FOOTNOTES
> > >>>> *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
> > >>>> Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)
> > >>>> *2 = requires OpenLDAP
> > >>>>- *3 = requires a GSSAPI-compliant library, such as Heimdal or similar
> > >>>>+ *3 = requires a GSS-API implementation, such as Heimdal, MIT Kerberos or
> > >>>>+ SSPI (native Windows)
> > >>>> *4 = requires nghttp2 and possibly a recent TLS library
> > >>>> *5 = requires a krb4 library, such as the MIT one or similar
> > >>>> *6 = requires c-ares
> > >>>
> > >>>Minor nit on this oneā€”this implies that SSPI provides a GSS-API implementation.
> > >>>This might be slightly clearer:
> > >>>
> > >>>+ *3 = requires a GSS-API implementation such as Heimdal or MIT Kerberos, or
> > >>>+ SSPI (native Windows)
> > >>
> > >>Infact, SSPI is a proprietary GSS-API implemenation but I do
> > >>understand what you are referring to. I have trouble phrasing this in
> > >>a unambigious way.
>
> But if SSPI provides an GSS-API implementation, why doesn't ftp.c use it?
> If SSPI provides the same API as as MIT/Heimdal, there would be no reason to
> avoid using it there. Where is my understanding going wrong?

Your understanding is correct, but you aren't aware of the details. SSPI serves
the same purpose as GSS-API but Microsoft did choose a completely different approach
in a non-compatible API/ABI when this emerged in Windows 2000. So you always need
two code paths and no one did that for FTP. THIS IS Microsoft.

> > >>Is this better: requires a GSS-API implementation (Unix-like OS) such
> > >>as Heimdal or MIT Kerberos, or SSPI (native Windows)
> > >>
> > >>In general, those who know that SPNEGO is, will know the difference
> > >>between GSS-API and SSPI, IMHO.
> > >>
> > >>How would you rephrase that?
> > >
> > >I'm no expert on these differences, but I note that the Kerberos code for
> > >FTP, IMAP, POP3, SMTP is disabled if SSPI is in use.
> >
> > Except FTP none of those SASL-aware protocols use any GSS mechanism in curl.
>
> Ah, I see it now. Those protocols detect a GSS-API request but there's no
> actual code to perform it.

Yes exactly, the server advertises all supported SASL mechs, e.g., LOGIN
GSSAPI, EXTERNAL and you SASL client is free to choose one of them.

> > >If SSPI truly provided
> > >a GSS-API implementation, then I would expect this GSS-API code to be enabled.
> > >As *3 seems to conflate GSS-API and SPNEGO requirements, perhaps it should be
> > >split into two line items in the spirit of clarified documentation.
> >
> > What about:
> >
> > *3 = requires a GSS-API implementation (Heimdal, MIT Kerberos) or
> > SSPI (native Windows)
>
> This still isn't accurate in the case of FTP, since FTP won't support Kerberos
> with SSPI.

You are right. I will introduce another footnote for FTP and Kerberos 5 support.
Is that acceptable?

Michael

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-03