cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: feature window is now closed

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Sat, 16 Aug 2014 11:27:04 +0100

On Thu, 14 Aug 2014, Steve Holme wrote:

> You will have noticed that I have started to push my GSSAPI
> commits.

I have just pushed the last of my changes from my branch and included updates to documentation that I wrote last night.

> It seems that whilst the email protocols pretty much follow
> RFC4752 there are some suitable differences (probably due
> to ambiguity between RFC4752 and RFC2222?) - certainly with
> Exchange server anyway.

Anyone reviewing the code will note that Curl_sasl_create_gssapi_user_message() supports a mutual authentication flag - this is currently FALSE in each of the email protocols although setting it to TRUE does work ;-) TRUE should probably be the default but I would l to be able to override this from curl's command line but... reading the existing options and help from source code and documentation I have got myself a little confused and can't work out whether or not I can use --krb LEVEL at all.

I would appreciate it if someone could help me with the following:
 
a) Is this option used in the current krb5 (GSS-API) code that FTP/Socks5 uses or is it a krb4 only option?
b) If it is a krb4 only option shouldn't it be removed to avoid any confusion?
c) Are there any other options that control krb5 (either in via our GSS-API implementation in FTP/socks5 or in the SSPI socks5 code) as I can't find any myself

> Note: From my own testing I found that I had to specify
> the username with the Windows Domain name prefixed
> to it if the username was specified in -u, for example,
> "-u MY-DOMAIN\steve.holme"

I have added this to the documentation - if anyone else finds differently, then I would be interested to know and we can update the docs accordingly ;-)

> I also found that the SPN had to be a fully registered SPN,
> so if you have an alias for a mail server for example as I do:

I will probably add this to the documentation as well - for --url

> Finally, I would like to ask a favour of my fellow curl SSPI
> developers to review my next patch.

As I mentioned above all working code is now in... so if anyone fancies performing a review it would be appreciated, there's obviously quite a bit and my apologies for a last minute feature!

You will also have noticed that I pushed some bug fixes last weekend, as I scrutinised our existing SSPI code for help and inspiration whilst struggling with SASL GSSAPI.

In the process I also noticed that our socks5 SSPI implementation (socks_sspi.c) doesn't have the ability to use the user name and password as specified by --proxy-user and subsequently CURLOPT_PROXYUSERPWD / CURLOPT_PROXYUSERNAME.

Essentially it suffers the same bug / limitation that the SSPI Negotiate implementation did before commit f8a8ed73fe.

It will be quite an easy fix to do but I don't have the ability to test it here - unless someone has access to a Windows based socks 5 server I can borrow for testing?

Finally, a bit of a cheeky request - but does anyone fancy the challenge of implementing the SASL GSSAPI support for GSS-API (via Heimdal or MIT Kerberos) ;-)

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-16