PATCH - improvement for Negotiate authentication

Karsten Künne kuenne at rentec.com
Thu Sep 23 19:31:57 BST 2004 

Hi,

the attached small patch enables the use of the SPNEGO mechanism with 
Negotiate authentication, if the underlying GSSAPI/Kerberos5 implementation 
provides it. This is important for interoperability with the Kerberos stuff 
in MS IIS 5.0. The Apache mod_auth_kerberos module is smart enough to work 
with either mechanism but apparently MS products are more picky (what a 
surprise!). Please include this patch into CVS!

I setup Active Directory on my Windows 2000 laptop in order to test it and 
konqueror worked with it (yay!). But it requires a Heimdal-0.7pre (I tested 
with heimdal-20040917) on the Linux side because only this K5 implementation 
provides the SPNEGO mechanism, Heimdal-0.6.x and MIT K5 don't have it AFAIKT 
and fall back to the KRB5 mechanism which IIS can't deal with. The Apache 
module works in either case.

Regarding HTTP authentication we should have all the bases covered now. A 
couple things still remain. First, should the order in which kio_http tries 
authentication methods be configurable? It's currently hardcoded with "NTLM" 
trumps "Negotiate" which is preferred over "Digest" which is preferred over 
"Basic". But bothering the user with that stuff might not be a good idea on 
the other hand because most users probably don't know what this is all about 
and the current order works well in almost all cases.

Another small thing is that in the case of the SPNEGO mechanism the server 
sends a "WWW-Authenticate: Negotiate somebase64encodedstuff" together with 
the 200 response which we currently ignore. I don't know what to do with it 
as the response 200 indicates that everything is fine. I can feed it into 
gss_init_sec_context but what should happen if the output from that is "not 
o.k."? Bothering the user with some popup message? I don't know. I'll try to 
find out what that stuff is but for now it'll just be ignored.


Karsten.
-- 
Acid -- better living through chemistry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spnegomech.patch
Type: text/x-diff
Size: 1351 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20040923/c22c8c3c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20040923/c22c8c3c/attachment.sig>

More information about the kfm-devel mailing list